From b2d10fbff783fd3a91e3b29908f63168cb1b4cd8 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Thu, 10 Aug 2023 10:25:21 +0100 Subject: [PATCH 1/5] :truck: Refactor computing pillar to match style of information governance pillar and add links to component type --- docs/source/pillars/computing_technology.md | 52 ++++---------- docs/source/pillars/information_governance.md | 68 +++++++++---------- 2 files changed, 48 insertions(+), 72 deletions(-) diff --git a/docs/source/pillars/computing_technology.md b/docs/source/pillars/computing_technology.md index 905e1fb3..65f6d0d7 100644 --- a/docs/source/pillars/computing_technology.md +++ b/docs/source/pillars/computing_technology.md @@ -23,9 +23,7 @@ The required compute resources will vary according to the scale of data and comp The ability of the TRE operator to provide and manage devices, workspaces, interfaces and applications used by researchers to interact with underlying systems and data. -### End user computing interfaces - -Software or systems that allows people to interact with the TRE. +**End user computing interfaces:** This group of {term}`application components ` is a collection of systems and software that allows people to interact with the TRE. This may include desktop, command-line and/or code-submission interfaces. ```{list-table} @@ -50,9 +48,7 @@ This may include desktop, command-line and/or code-submission interfaces. - Optional ``` -### Software tools - -The tools used by researchers inside a TRE, such as programming languages, IDEs and desktop applications. +**Software tools:** This {term}`application component ` is the tools used by researchers inside a TRE, such as programming languages, IDEs and desktop applications. ```{list-table} :header-rows: 1 @@ -87,9 +83,7 @@ The tools used by researchers inside a TRE, such as programming languages, IDEs - Mandatory ``` -### Code Version Control System - -Systems and tools providing version control and collaboration features for code developed inside the TRE. +**Code Version Control System:** This {term}`application component ` is the systems and tools providing version control and collaboration features for code developed inside the TRE. ```{list-table} :header-rows: 1 @@ -104,9 +98,7 @@ Systems and tools providing version control and collaboration features for code - Recommended ``` -### Artefact management - -A service that manages and organises third-party software artefacts such as packaged code libraries or containers. +**Artefact Management Application:** This {term}`application component ` is a service that manages and organises third-party software artefacts such as packaged code libraries or containers. ```{list-table} :header-rows: 1 @@ -124,9 +116,7 @@ A service that manages and organises third-party software artefacts such as pack - Optional ``` -### Advanced or cluster computing - -Advanced, powerful computer resources to solve complex problems and process large amounts of data, possibly using specialised hardware. +**Advanced or Cluster Computing System:** This {term}`application component ` involves the use of advanced, powerful computer resources to solve complex problems and process large amounts of data, possibly using specialised hardware. ```{list-table} :header-rows: 1 @@ -163,10 +153,8 @@ Advanced, powerful computer resources to solve complex problems and process larg The ability of the TRE operator to deploy, change or remove physical or virtual infrastructure. -### Infrastructure deployment - -The process of setting up and configuring infrastructure components and resources to support applications or services. -This involves development, installation, configuration, and validation. +**Infrastructure Deployment Process:** This {term}`business process ` involves setting up and configuring infrastructure components and resources to support applications or services. +This requires development, installation, configuration, and validation. ```{list-table} :header-rows: 1 @@ -194,9 +182,7 @@ This involves development, installation, configuration, and validation. - Recommended ``` -### Infrastructure removal - -The process of retiring or removing infrastructure assets that are no longer needed or outdated, ensuring proper data handling and disposal. +**Infrastructure Removal Process:** This {term}`business process ` involves retiring or removing infrastructure assets that are no longer needed or outdated, ensuring proper data handling and disposal. ```{list-table} :header-rows: 1 @@ -210,9 +196,7 @@ The process of retiring or removing infrastructure assets that are no longer nee - Mandatory ``` -### Availability management - -The process of ensuring all IT infrastructure meets the agreed levels of availability. +**Availability Management Process:** This {term}`business process ` involves ensuring all IT infrastructure meets the agreed levels of availability. ```{list-table} :header-rows: 1 @@ -230,9 +214,7 @@ The process of ensuring all IT infrastructure meets the agreed levels of availab - Recommended ``` -### Network management - -An application used to manage network infrastructure, ensuring proper functioning, security, and performance. +**Network Management Application:** This {term}`application component ` is an application used to manage network infrastructure, ensuring proper functioning, security, and performance. ```{list-table} :header-rows: 1 @@ -256,9 +238,7 @@ An application used to manage network infrastructure, ensuring proper functionin - Mandatory ``` -### Infrastructure analytics - -The ability of the TRE operator to record and analyse data about the usage of the TRE. +**Infrastructure analytics application:** This {term}`application component ` is an application which enables the TRE operator to record and analyse data about the usage of the TRE. ```{list-table} :header-rows: 1 @@ -280,9 +260,7 @@ The ability of the TRE operator to record and analyse data about the usage of th ## Capacity management -### Capacity planning - -The process of forecasting and determining the resources required to meet the demands of an application or system, ensuring that adequate resources are available when needed. +**Capacity Planning Process:** This {term}`business process ` involves forecasting and determining the resources required to meet the demands of an application or system, ensuring that adequate resources are available when needed. ```{list-table} :header-rows: 1 @@ -304,9 +282,7 @@ The process of forecasting and determining the resources required to meet the de - Mandatory ``` -### Billing - -The process of generating and managing invoices and bills for projects within the TRE. +**Billing Process:** This {term}`business process ` involves generating and managing invoices and bills for projects within the TRE. It involves calculation, issuance, and recording of payments and receipts. ```{list-table} @@ -324,7 +300,7 @@ It involves calculation, issuance, and recording of payments and receipts. ### Configuration management -The ability of the TRE operator to identify, maintain, and verify information on IT assets and configurations in the TRE operator. +**Configuration Management Process:** This {term}`business process ` involves the TRE operator identifying, maintaining, and verifying information on IT assets and configurations in the TRE organisation. ```{list-table} :header-rows: 1 diff --git a/docs/source/pillars/information_governance.md b/docs/source/pillars/information_governance.md index 51d21a43..a1ad559e 100644 --- a/docs/source/pillars/information_governance.md +++ b/docs/source/pillars/information_governance.md @@ -17,7 +17,7 @@ For example, some requirements will arise from national legislation such as GDPR ## Governance Requirements -**Requirements Gathering and Monitoring:** The process of collecting, documenting, and managing the functional and non-functional requirements for the TRE based on the TRE organisation's goals and data assets. +**Requirements Gathering and Monitoring:** This {term}`business process ` involves collecting, documenting, and managing the functional and non-functional requirements for the TRE based on the TRE organisation's goals and data assets. ```{list-table} :header-rows: 1 @@ -33,7 +33,7 @@ For example, some requirements will arise from national legislation such as GDPR - Mandatory ``` -**Controls:** Measures, safeguards, or mechanisms implemented to manage or mitigate risks and ensure the integrity, confidentiality, availability, and reliability of systems, processes, or data. +**Controls:** This {term}`business process ` involves measures, safeguards, or mechanisms implemented to manage or mitigate risks and ensure the integrity, confidentiality, availability, and reliability of systems, processes, or data. ```{list-table} :header-rows: 1 @@ -47,7 +47,7 @@ For example, some requirements will arise from national legislation such as GDPR - Mandatory ``` -**Resource Allocation:** The process of assigning, distributing, and managing resources (such as personnel, finances, equipment, or time) within the TRE organisation to meet objectives and priorities effectively. +**Resource Allocation Process:** This {term}`business process ` involves assigning, distributing, and managing resources (such as personnel, finances, equipment, or time) within the TRE organisation to meet objectives and priorities effectively. ```{list-table} :header-rows: 1 @@ -65,11 +65,11 @@ For example, some requirements will arise from national legislation such as GDPR What the organisation does to measure and control quality of processes, documentation and outputs. -**Document and SOP Management:** Creating, organising, updating, and controlling documents and Standard Operating Procedures (SOPs) within the TRE organisation. +**Document and SOP Management Process:** This {term}`business process ` involves creating, organising, updating, and controlling documents and Standard Operating Procedures (SOPs) within the TRE organisation. ```{list-table} :header-rows: 1 -:name: tab-ig-quality-management +:name: tab-ig-document-management * - Statement - Guidance @@ -82,11 +82,11 @@ What the organisation does to measure and control quality of processes, document - Mandatory ``` -**Quality Management Reporting:** The generation and dissemination of reports or dashboards that provide insights and metrics on the performance and effectiveness of quality management processes and activities. +**Quality Management Process:** This {term}`business process ` involves the generation and dissemination of reports or dashboards that provide insights and metrics on the performance and effectiveness of quality management processes and activities. ```{list-table} :header-rows: 1 -:name: tab-ig-quality-management-reporting +:name: tab-ig-quality-management * - Statement - Guidance @@ -96,7 +96,7 @@ What the organisation does to measure and control quality of processes, document - Mandatory ``` -**Internal Audit:** An independent evaluation process within the TRE organisation that assesses and improves its internal controls, risk management, and governance. +**Internal Audit Process:** This {term}`business process ` involves an independent evaluation process within the TRE organisation that assesses and improves its internal controls, risk management, and governance. ```{list-table} :header-rows: 1 @@ -113,7 +113,7 @@ What the organisation does to measure and control quality of processes, document - Mandatory ``` -**Supplier Management and Monitoring:** A structured approach to managing and monitoring relationships with external suppliers, vendors and contractors, including selection, contract management and compliance oversight. +**Supplier Management and Monitoring Process:** This {term}`business process ` involves a structured approach to managing and monitoring relationships with external suppliers, vendors and contractors, including selection, contract management and compliance oversight. ```{list-table} :header-rows: 1 @@ -132,7 +132,7 @@ What the organisation does to measure and control quality of processes, document - Mandatory ``` -**Asset Management Process:** A systematic approach to acquiring, operating, maintaining, and disposing of assets within an organization, aimed at maximizing their value and minimizing risks. +**Asset Management Process:** This {term}`business process ` involves a systematic approach to acquiring, operating, maintaining, and disposing of assets within an organization, aimed at maximizing their value and minimizing risks. ```{list-table} :header-rows: 1 @@ -147,7 +147,7 @@ What the organisation does to measure and control quality of processes, document - Mandatory (where physical assets are in scope) ``` -**Issue Management Process:** A systematic approach to identifying, tracking, resolving, and managing issues or problems that arise within a TRE organisation, aiming to minimize their impact and ensure timely resolution. +**Issue Management Process:** This {term}`business process ` involves a systematic approach to identifying, tracking, resolving, and managing issues or problems that arise within a TRE organisation, aiming to minimize their impact and ensure timely resolution. ```{list-table} :header-rows: 1 @@ -164,7 +164,7 @@ What the organisation does to measure and control quality of processes, document - Mandatory ``` -**Quality Management Data:** Data, including training records and configuration data, collected and used to monitor, evaluate, and improve the quality of processes, or services within the TRE organisation. +**Quality Management Data:** This {term}`data object ` consists of data, including training records and configuration data, collected and used to monitor, evaluate, and improve the quality of processes, or services within the TRE organisation. ```{list-table} :header-rows: 1 @@ -179,17 +179,17 @@ What the organisation does to measure and control quality of processes, document - Recommended ``` -**Electronic Quality Management System Application:** A software application or platform used to manage and automate quality management processes, including document control, corrective actions, audits, and performance tracking. +**Quality Management System Application:** This {term}`application component ` is a software application or platform used to manage and automate quality management processes, including document control, corrective actions, audits, and performance tracking. ```{list-table} :header-rows: 1 -:name: tab-ig-electronic-quality-management-system-application +:name: tab-ig-quality-management-system-application * - Statement - Guidance - Importance -* - You could use an eQMS (Electronic Quality Management System) to standardise and automate quality management tasks and workflows, and to generate quality data and reports automatically. - - A basis eQMS could be a set of spreadsheets or documents held in a repository which are manually maintained. +* - You could use a QMS (Quality Management System) to standardise and automate quality management tasks and workflows, and to generate quality data and reports automatically. + - A basis QMS could be a set of spreadsheets or documents held in a repository which are manually maintained. More mature applications will provide workflows and generate quality data through manual and automated actions. - Optional ``` @@ -198,7 +198,7 @@ What the organisation does to measure and control quality of processes, document What the organisation does to ensure information risk is measured and managed to an acceptable level. -**Risk Assessment:** The systematic evaluation and analysis of potential risks, threats, or vulnerabilities, including their likelihood, potential impact, and the effectiveness of existing controls or mitigation measures. +**Risk Assessment Process:** This {term}`business process ` involves the systematic evaluation and analysis of potential risks, threats, or vulnerabilities, including their likelihood, potential impact, and the effectiveness of existing controls or mitigation measures. ```{list-table} :header-rows: 1 @@ -215,7 +215,7 @@ What the organisation does to ensure information risk is measured and managed to - Mandatory ``` -**Risk Treatment:** The selection and implementation of strategies, controls, or measures to manage or mitigate identified risks, such as risk avoidance, risk transfer, risk reduction, or risk acceptance. +**Risk Treatment Process:** This {term}`business process ` involves the selection and implementation of strategies, controls, or measures to manage or mitigate identified risks, such as risk avoidance, risk transfer, risk reduction, or risk acceptance. ```{list-table} :header-rows: 1 @@ -229,7 +229,7 @@ What the organisation does to ensure information risk is measured and managed to - Mandatory ``` -**Risk Ownership:** The assignment of responsibility and accountability to individuals or entities for managing and mitigating specific risks within the TRE organisation. +**Risk Ownership Process:** This {term}`business process ` involves the assignment of responsibility and accountability to individuals or entities for managing and mitigating specific risks within the TRE organisation. ```{list-table} :header-rows: 1 @@ -251,7 +251,7 @@ What the organisation does to ensure information risk is measured and managed to What the organisation does to create and maintain research projects and work packages within the TRE. -**Study Onboarding:** The process of onboarding or initiating a research study, including setting up necessary infrastructure, obtaining approvals, and defining protocols or methodologies. +**Study Onboarding Process:** This {term}`business process ` involves onboarding or initiating a research study, including setting up necessary infrastructure, obtaining approvals, and defining protocols or methodologies. ```{list-table} :header-rows: 1 @@ -265,7 +265,7 @@ What the organisation does to create and maintain research projects and work pac - Mandatory ``` -**Compliance Checking:** The act of verifying and ensuring adherence to applicable laws, regulations, standards, or internal policies within the TRE organisation. +**Compliance Checking Process:** This {term}`business process ` involves verifying and ensuring adherence to applicable laws, regulations, standards, or internal policies within the TRE organisation. ```{list-table} :header-rows: 1 @@ -283,7 +283,7 @@ What the organisation does to create and maintain research projects and work pac - Mandatory ``` -**Study Closure:** The formal conclusion of a research study or project, including final data analysis, reporting, documentation, and archiving. +**Study Closure Process:** This {term}`business process ` involves the formal conclusion of a research study or project, including final data analysis, reporting, documentation, and archiving. ```{list-table} :header-rows: 1 @@ -297,7 +297,7 @@ What the organisation does to create and maintain research projects and work pac - Mandatory ``` -**Study Management Portal:** An online platform that provides centralised access to manage research studies including onboarding studies, control of access and administration of compliance tasks. +**Study Management Portal:** This {term}`application component ` is an online platform that provides centralised access to manage research studies including onboarding studies, control of access and administration of compliance tasks. ```{list-table} :header-rows: 1 @@ -312,7 +312,7 @@ What the organisation does to create and maintain research projects and work pac - Optional ``` -**Data Asset Register:** A database or other electronic record that documents and manages information about the TRE organisation's data assets, including their characteristics, ownership, usage, and other relevant details. +**Data Asset Register:** This {term}`data object ` is a database or other electronic record that documents and manages information about the TRE organisation's data assets, including their characteristics, ownership, usage, and other relevant details. ```{list-table} :header-rows: 1 @@ -328,7 +328,7 @@ What the organisation does to create and maintain research projects and work pac - Mandatory ``` -**Study Register:** A centralised record or database that tracks and manages information about research studies and projects. +**Study Register:** This {term}`data object ` is a centralised record or database that tracks and manages information about research studies and projects. ```{list-table} :header-rows: 1 @@ -346,7 +346,7 @@ What the organisation does to create and maintain research projects and work pac Ability to ensure that people with access to data are correctly identified and they are suitably qualified. -**Identity Verification:** The process of confirming or authenticating the identity of individuals or entities, often through the verification of personal information, credentials, or biometric data. +**Identity Verification Process:** This {term}`business process ` involves confirming or authenticating the identity of individuals or entities, often through the verification of personal information, credentials, or biometric data. ```{list-table} :header-rows: 1 @@ -360,7 +360,7 @@ Ability to ensure that people with access to data are correctly identified and t - Mandatory ``` -**User Onboarding:** The process of introducing and integrating researchers and data consumers onto a TRE's systems, processes, including training, access provisioning, and orientation. +**User Onboarding Process:** This {term}`business process ` involves introducing and integrating researchers and data consumers onto a TRE's systems, processes, including training, access provisioning, and orientation. ```{list-table} :header-rows: 1 @@ -374,7 +374,7 @@ Ability to ensure that people with access to data are correctly identified and t - Mandatory ``` -**Identity and Access Management Services:** Govern and control user identities, access privileges, authentication, and authorization within an organisation. +**Identity and Access Management Services:** This {term}`application component ` is a system to govern and control user identities, access privileges, authentication, and authorization within an organisation. ```{list-table} :header-rows: 1 @@ -391,7 +391,7 @@ Ability to ensure that people with access to data are correctly identified and t - Mandatory ``` -**Authentication Application:** A software system that verifies and validates the identities of users or entities accessing a system through multifactor authentication. +**Authentication Application:** This {term}`application component ` is a software system that verifies and validates the identities of users or entities accessing a system through multifactor authentication. ```{list-table} :header-rows: 1 @@ -405,7 +405,7 @@ Ability to ensure that people with access to data are correctly identified and t - Mandatory ``` -**User Identity Attributes:** Characteristics or attributes associated with a user's identity, such as username, email address, role, permissions, or affiliations. +**User Identity Attributes:** This {term}`data object ` consists of characteristics or attributes associated with a user's identity, such as username, email address, role, permissions, or affiliations. ```{list-table} :header-rows: 1 @@ -424,7 +424,7 @@ Ability to ensure that people with access to data are correctly identified and t Ability to deliver, track and maintain adequate training levels to ensure competence of all people within the TRE organisation. -**Curriculum Creation and Management:** The process of designing, developing, and managing educational curricula, courses through training needs analysis for required competency. +**Curriculum Creation and Management Process:** This {term}`business process ` involves designing, developing, and managing educational curricula, courses through training needs analysis for required competency. ```{list-table} :header-rows: 1 @@ -449,7 +449,7 @@ Ability to deliver, track and maintain adequate training levels to ensure compet - Mandatory ``` -**Certification Management:** The process of managing and overseeing certifications or qualifications held by individuals or entities, including tracking expiry dates, renewals, and compliance requirements. +**Certification Management Process:** This {term}`business process ` involves managing and overseeing certifications or qualifications held by individuals or entities, including tracking expiry dates, renewals, and compliance requirements. ```{list-table} :header-rows: 1 @@ -466,7 +466,7 @@ Ability to deliver, track and maintain adequate training levels to ensure compet - Recommended ``` -**Learning Management System:** A software platform or application that facilitates the administration, delivery, and tracking of educational or training programs, often including course materials, assessments, and learner progress tracking. +**Learning Management System:** This {term}`application component ` is a software platform or application that facilitates the administration, delivery, and tracking of educational or training programs, often including course materials, assessments, and learner progress tracking. ```{list-table} :header-rows: 1 @@ -480,7 +480,7 @@ Ability to deliver, track and maintain adequate training levels to ensure compet - Optional ``` -**Courses Data:** Information or data associated with educational courses, including course materials and syllabi, assessments. +**Courses Data:** This {term}`data object ` consists of information or data associated with educational courses, including course materials and syllabi, assessments. ```{list-table} :header-rows: 1 From 1fb16795596f7d330f17faa37ec3a6e3442b6336 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Thu, 10 Aug 2023 10:33:28 +0100 Subject: [PATCH 2/5] :memo: Update structure of data_management and supporting pillars --- docs/source/pillars/data_management.md | 20 +++++----------- docs/source/pillars/supporting.md | 32 +++++++++++--------------- 2 files changed, 19 insertions(+), 33 deletions(-) diff --git a/docs/source/pillars/data_management.md b/docs/source/pillars/data_management.md index 8e8a1409..9e8e7580 100644 --- a/docs/source/pillars/data_management.md +++ b/docs/source/pillars/data_management.md @@ -167,9 +167,7 @@ These measures include vulnerability management of TRE infrastructure (whether p (vulnerability-management)= -### Vulnerability management - -_The ability of the TRE operator to identify, assess, report on, manage and remediate technical vulnerabilities across endpoints, workloads, and systems._ +**Vulnerability Management:** The ability of the TRE operator to identify, assess, report on, manage and remediate technical vulnerabilities across endpoints, workloads, and systems. ```{list-table} :header-rows: 1 @@ -197,9 +195,7 @@ _The ability of the TRE operator to identify, assess, report on, manage and reme (security-testing)= -### Security testing - -_Security testing enables the TRE operator to gain assurance in the security of a TRE by testing or attempting to breach some or all of that system's security._ +**Security testing:** Security testing enables the TRE operator to gain assurance in the security of a TRE by testing or attempting to breach some or all of that system's security. ```{list-table} :header-rows: 1 @@ -228,9 +224,7 @@ _Security testing enables the TRE operator to gain assurance in the security of (encryption)= -### Encryption - -_The ability of the TRE operator to deploy and manage encryption to protect information assets, including data for TRE research projects._ +**Encryption:** The ability of the TRE operator to deploy and manage encryption to protect information assets, including data for TRE research projects. Here we define 'project' data as the data brought in for work which is very likely to be sensitive and 'user' data, as the working files of a project which might hold copies of all or part of the project data or otherwise reveal sensitive data (_e.g._ through hard coded row/column names). @@ -264,9 +258,7 @@ Here we define 'project' data as the data brought in for work which is very like (physical-security)= -### Physical security - -_The ability of the TRE operator to manage and protect physical assets from unauthorised access, damage or destruction._ +**Physical security:** The ability of the TRE operator to manage and protect physical assets from unauthorised access, damage or destruction. Physical security controls can provide TREs using highly sensitive data an extra layer of security, even if technical controls are already in place for less sensitive data: @@ -289,9 +281,9 @@ Physical security controls can provide TREs using highly sensitive data an extra (security-level)= -## Security levels and tiering +## Security Levels and Tiering -_The ability of the TRE deployment software (or active TRE) to configure security controls appropriate to the sensitivity of the data used in a project or workspace._ +The ability of the TRE deployment software (or active TRE) to configure security controls appropriate to the sensitivity of the data used in a project or workspace. Security controls can add friction to the user experience and hinder work. A one-size-fits-all approach forces all projects to use the strictest security configuration even when that is unnecessary. diff --git a/docs/source/pillars/supporting.md b/docs/source/pillars/supporting.md index 1347ff7a..f8b9ede3 100644 --- a/docs/source/pillars/supporting.md +++ b/docs/source/pillars/supporting.md @@ -13,7 +13,7 @@ SATRE Pillars Capability Map ## Business continuity management -_What the TRE operator does to ensure the development, testing, and maintenance of business continuity plans._ +What the TRE operator does to ensure the development, testing, and maintenance of business continuity plans. ```{list-table} :header-rows: 1 @@ -32,7 +32,7 @@ _What the TRE operator does to ensure the development, testing, and maintenance ## Project and programme management -_What the TRE operator does to ensure effective management of programmes and projects._ +What the TRE operator does to ensure effective management of programmes and projects. ```{list-table} :header-rows: 1 @@ -52,7 +52,7 @@ _What the TRE operator does to ensure effective management of programmes and pro ## Knowledge management -_What the TRE operator does to acquire, enrich, share, store, publish and enhance expertise across their organisation._ +What the TRE operator does to acquire, enrich, share, store, publish and enhance expertise across their organisation. ```{list-table} :header-rows: 1 @@ -74,7 +74,7 @@ _What the TRE operator does to acquire, enrich, share, store, publish and enhanc ## Financial management -_All activities aimed at the efficient and effective management of money (funds) in such a manner as to allow the TRE operator to accomplish its objectives._ +All activities aimed at the efficient and effective management of money (funds) in such a manner as to allow the TRE operator to accomplish its objectives. ```{list-table} :header-rows: 1 @@ -100,7 +100,7 @@ _All activities aimed at the efficient and effective management of money (funds) ## Procurement -_What the TRE operator does to ensure the effective sourcing, purchasing and supply of the goods and services that enable them to operate._ +What the TRE operator does to ensure the effective sourcing, purchasing and supply of the goods and services that enable them to operate. ```{list-table} :header-rows: 1 @@ -116,7 +116,7 @@ _What the TRE operator does to ensure the effective sourcing, purchasing and sup ## IT Service management -_The implementation and management of quality IT services that meet the needs of the TRE operator._ +The implementation and management of quality IT services that meet the needs of the TRE operator. ```{list-table} :header-rows: 1 @@ -133,9 +133,9 @@ _The implementation and management of quality IT services that meet the needs of ## Relationship management -_All activities aimed at ensuring a continuous level of engagement is maintained between the TRE operator and its customers, stakeholders & other interested parties._ +All activities aimed at ensuring a continuous level of engagement is maintained between the TRE operator and its customers, stakeholders and other interested parties. -### Stakeholder relationships +**Stakeholder relationships:** Activities aimed at engaging with TRE stakeholders. ```{list-table} :header-rows: 1 @@ -151,7 +151,7 @@ _All activities aimed at ensuring a continuous level of engagement is maintained ## Public Involvement and Engagement -_How the TRE operator involves the public in its processes and work in order to maintain trust in its operations._ +How the TRE operator involves the public in its processes and work in order to maintain trust in its operations. -### Legal advisory - -_Ability of the TRE operator to provide suitable and timely legal advice._ +**Legal advisory:** The ability of the TRE operator to provide suitable and timely legal advice. ```{list-table} :header-rows: 1 @@ -205,9 +203,7 @@ _Ability of the TRE operator to provide suitable and timely legal advice._ - Recommended ``` -### Data protection - -_Ability to ensure data is used fairly, lawfully and transparently; for specified, explicit purposes; and in a way that is adequate, relevant and limited to only what is necessary._ +**Data protection:** Ability to ensure data is used fairly, lawfully and transparently; for specified, explicit purposes; and in a way that is adequate, relevant and limited to only what is necessary. ```{list-table} :header-rows: 1 @@ -221,9 +217,7 @@ _Ability to ensure data is used fairly, lawfully and transparently; for specifie - Recommended ``` -### Contract management - -_What the organisation does to ensure that all contracts are effectively managed within required frameworks._ +**Contract management:** What the organisation does to ensure that all contracts are effectively managed within required frameworks. ```{list-table} :header-rows: 1 From dfec2e9d43f3d7ac7adda46eaa6a48797eeae6f7 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Thu, 10 Aug 2023 11:26:28 +0100 Subject: [PATCH 3/5] :sparkles: Add statement numbering throughout --- docs/source/pillars/computing_technology.md | 171 +++++++++----- docs/source/pillars/data_management.md | 138 ++++++++---- docs/source/pillars/information_governance.md | 210 ++++++++++++------ docs/source/pillars/supporting.md | 93 +++++--- 4 files changed, 407 insertions(+), 205 deletions(-) diff --git a/docs/source/pillars/computing_technology.md b/docs/source/pillars/computing_technology.md index 65f6d0d7..273d4598 100644 --- a/docs/source/pillars/computing_technology.md +++ b/docs/source/pillars/computing_technology.md @@ -30,20 +30,23 @@ This may include desktop, command-line and/or code-submission interfaces. :header-rows: 1 :name: tab-end-user-computing-interfaces -* - Statement +* - + - Statement - Guidance - Importance - -* - You must not allow users to copy data out of your TRE via the system clipboard. +* - 2.1.1 + - You must not allow users to copy data out of your TRE via the system clipboard. - A TRE user must not be able to copy sensitive data out of a workspace using the system clipboard. A TRE may allow user to paste text into a workspace. This might not be relevant to your TRE, for example if your user interface does not have a clipboard. - Required -* - Your TRE workspace should provide an environment familiar to your users. +* - 2.1.2 + - Your TRE workspace should provide an environment familiar to your users. - This may take the form of a virtual Windows or Linux desktops, non-desktop interfaces such as JupyterLab and other web applications, or a terminal. Bespoke TRE-specific software should be avoided when widely used alternatives already exist. - Recommended -* - A TRE could restrict data access from researchers entirely and provide an interface for submitting code. +* - 2.1.3 + - A TRE could restrict data access from researchers entirely and provide an interface for submitting code. - For example, you might use a system where users submit jobs that run over the data and return results without allowing direct data access. - Optional ``` @@ -54,28 +57,35 @@ This may include desktop, command-line and/or code-submission interfaces. :header-rows: 1 :name: tab-end-user-software-tools -* - Statement +* - + - Statement - Guidance - Importance -* - Your TRE should be accessed via a user interface accessible using commonly available applications. +* - 2.1.4 + - Your TRE should be accessed via a user interface accessible using commonly available applications. - TREs which allow users to connect from their own devices should not require the installation of any bespoke TRE application on the user's device. In practice a web browser is the most common way to achieve this. - Recommended -* - Your TRE must provide clear guidance on how to use software tools and work with data in the TRE. +* - 2.1.5 + - Your TRE must provide clear guidance on how to use software tools and work with data in the TRE. - TREs that provide a virtual desktop environment for researchers to work in should provide documentation detailing the available tools. TREs where the analysis code is developed on the access machine (as opppose to within the TRE) should provide documentation detailing the mechanism by which code is submitted to the TRE. - Mandatory -* - Your TRE should, where possible, automatically apply security related updates for user software. +* - 2.1.6 + - Your TRE should, where possible, automatically apply security related updates for user software. - Reducing the risk of exploitable vulnerabilities in installed software will increase the security of your TRE. - Recommended -* - Your TRE could provide shared services that are accessible to users in the same project. +* - 2.1.7 + - Your TRE could provide shared services that are accessible to users in the same project. - This may include shared file storage, databases, collaborative writing, and other web applications. This must only be shared amongst users within the same project. - Optional -* - Your TRE could include licenced commercial software if required by researchers, but additional risks must be recorded and mitigated where neccesary. +* - 2.1.8 + - Your TRE could include licenced commercial software if required by researchers, but additional risks must be recorded and mitigated where neccesary. - For example, if an application must connect to an external licensing server, you must be confident that only licensing information is sent to this server, and that any network connections are secure. - Optional -* - Your TRE must provide software applications that are relevant to working with the data in the TRE. +* - 2.1.9 + - Your TRE must provide software applications that are relevant to working with the data in the TRE. - The tools provided will depend on the types of data in the TRE, and the expectations of users of the TRE. For users working in a TRE via a virtual desktop, this may include programming languages such as Python and R, integrated development environments, Jupyter notebooks, office type applications such as word processors and spreadsheets, command line tools, etc. TREs with non-desktop interfaces should similarly consider carefully which applications are best suited for the researchers needs when interacting with the data, for example "point and click" GUI tools for querying a database and generating plots of data. @@ -89,10 +99,12 @@ This may include desktop, command-line and/or code-submission interfaces. :header-rows: 1 :name: tab-end-user-code-vcs -* - Statement +* - + - Statement - Guidance - Importance -* - Your TRE should provide tools to encourage best-practice in reproducibly analysing data. +* - 2.1.10 + - Your TRE should provide tools to encourage best-practice in reproducibly analysing data. - Reproducibility of analyses improves auditability and accountability of how data has been used, as well as being best-practice in research. This may include version control software, and tools for developing and running data analysis pipelines. - Recommended @@ -104,13 +116,16 @@ This may include desktop, command-line and/or code-submission interfaces. :header-rows: 1 :name: tab-end-user-artefact-management -* - Statement +* - + - Statement - Guidance - Importance -* - Your TRE could provide access to some public software repositories or container registries. +* - 2.1.11 + - Your TRE could provide access to some public software repositories or container registries. - For example, a TRE may allow direct installation of packages from Python or R repositories, or provide an internal mirror. - Optional -* - Your TRE could tightly control which packages are available. +* - 2.1.12 + - Your TRE could tightly control which packages are available. - For example, a TRE may only allow installation of a pre-defined set of approved packages. You might also choose to scan for malicious packages and/or go through an approval process before allowing code into the technical environment. - Optional @@ -122,28 +137,34 @@ This may include desktop, command-line and/or code-submission interfaces. :header-rows: 1 :name: tab-end-user-advanced-cluster-computing -* - Statement +* - + - Statement - Guidance - Importance -* - Your TRE must maintain segregation of users and data from different projects when using non-standard compute. +* - 2.1.13 + - Your TRE must maintain segregation of users and data from different projects when using non-standard compute. - High performance or specialist compute is often shared amongst multiple users. Users and data must remain segregated at all times. For example, when using physical compute resources, all sensitive data could be securely wiped before another user is given access to that same node. In a cloud hosted TRE virtual machines could be destroyed and recreated. - Mandatory -* - Your TRE should be able to provide access to high performance computing or other scaleable compute resource if required by users. +* - 2.1.14 + - Your TRE should be able to provide access to high performance computing or other scaleable compute resource if required by users. - If a TRE supports users conducting computationally intensive research it should provide access to dynamically scaleable compute or the equivalent. For example this may be in the form of a batch scheduler on a HPC cluster, or a dynamically created compute nodes on a cloud platform. - Recommended -* - Your TRE should be able to provide access to accelerators such as GPUs if required by users. +* - 2.1.15 + - Your TRE should be able to provide access to accelerators such as GPUs if required by users. - GPUs and other accelerators are commonly used in machine learning and other computationally intensive research. TREs should make it clear to users whether GPUs and other resources are available whilst projects are being assessed. - Recommended -* - Your TRE could make data available to researchers using common database systems such as PostgreSQL, MSSQL or MongoDB. +* - 2.1.16 + - Your TRE could make data available to researchers using common database systems such as PostgreSQL, MSSQL or MongoDB. - Databases must be secured and only accessible to users within the same project. If shared (multi-tenant) database servers are used, database administrators must ensure that the database server enforces segregation of users and databases belonging to different projects. - Optional -* - Your TRE could integrate with large-scale data analytics tools for working with large datasets. +* - 2.1.17 + - Your TRE could integrate with large-scale data analytics tools for working with large datasets. - For example, Spark and Hadoop can be used for distributed computing across a cluster. This may be an advantage where a TRE is using an amount of data that is too large for single-machine computing to be practical. - Optional @@ -160,23 +181,29 @@ This requires development, installation, configuration, and validation. :header-rows: 1 :name: tab-infrastructure-deployment -* - Statement +* - + - Statement - Guidance - Importance -* - You must have a documented procedure for deploying infrastructure. +* - 2.2.1 + - You must have a documented procedure for deploying infrastructure. - This might, for instance, be a handbook that is followed or a set of automated scripts. - Mandatory -* - You should, where possible, automate any repeatable aspects of your deployment. +* - 2.2.2 + - You should, where possible, automate any repeatable aspects of your deployment. - This might involve using infrastructure-as-code tools or a series of scripts. - Recommended -* - You must have a documented procedure for making changes to deployed infrastructure. +* - 2.2.3 + - You must have a documented procedure for making changes to deployed infrastructure. - This refers both to changes that might be expected in the course of normal operation and emergency changes that might be needed. Your change management process may form part of a wider accreditation such as ISO 27001. - Mandatory -* - You must test changes before they are used in production. +* - 2.2.4 + - You must test changes before they are used in production. - This might involve a separate development environment or another system for testing. - Mandatory -* - You should have separate environments for development and testing infrastructure changes before they are committed to production. +* - 2.2.5 + - You should have separate environments for development and testing infrastructure changes before they are committed to production. - If possible, you should automate application of changes between development and production environments. Consider the costs and practicality of whether this will work for your situation. - Recommended @@ -188,10 +215,12 @@ This requires development, installation, configuration, and validation. :header-rows: 1 :name: tab-infrastructure-removal -* - Statement +* - + - Statement - Guidance - Importance -* - You must have a documented procedure for removing infrastructure when it is no longer needed. +* - 2.2.6 + - You must have a documented procedure for removing infrastructure when it is no longer needed. - Removing unused infrastructure not only reduces costs and management burden but also reduces the attack surface of a TRE and reduces the risk of unaddressed vulnerabilities. - Mandatory ``` @@ -202,14 +231,17 @@ This requires development, installation, configuration, and validation. :header-rows: 1 :name: tab-infrastructure-availability -* - Statement +* - + - Statement - Guidance - Importance -* - You should understand the availability and uptime guarantees of any providers that you rely on. +* - 2.2.7 + - You should understand the availability and uptime guarantees of any providers that you rely on. - For remote TREs this might include your cloud provider(s) and/or data centre operators. For on-premises TREs, it might be worth using an uninterruptable power supply (UPS) and planning how you would deal with internet outages. - Recommended -* - You should develop an availability target or statement and share this with your users. +* - 2.2.8 + - You should develop an availability target or statement and share this with your users. - Understanding how and when the TRE might be unavailable will help your projects in planning their work. - Recommended ``` @@ -220,20 +252,25 @@ This requires development, installation, configuration, and validation. :header-rows: 1 :name: tab-infrastructure-network -* - Statement +* - + - Statement - Guidance - Importance -* - Your TRE must control and manage all of its network infrastructure in order to protect information in systems and applications. +* - 2.2.9 + - Your TRE must control and manage all of its network infrastructure in order to protect information in systems and applications. - Network infrastructure must prevent unauthorised access to resources on the network. This may include firewalls, network segmentation, and restricting connections to the network. - Mandatory -* - Your TRE must not allow connectivity between users in different projects, or with access to different datasets. +* - 2.2.10 + - Your TRE must not allow connectivity between users in different projects, or with access to different datasets. - Connectivity between users in the same project may be allowed, for example to support shared network services within the project. - Mandatory -* - Your TRE must block outbound connections to the internet by default. +* - 2.2.11 + - Your TRE must block outbound connections to the internet by default. - Limited outbound connectivity may be allowed for some services. - Mandatory -* - You must monitor the network configuration of your TRE to check for misconfigurations and vulnerabilities. +* - 2.2.12 + - You must monitor the network configuration of your TRE to check for misconfigurations and vulnerabilities. - This may include regular vulnerability scanning, and penetration testing. - Mandatory ``` @@ -244,16 +281,20 @@ This requires development, installation, configuration, and validation. :header-rows: 1 :name: tab-end-user-infrastructure-analytics -* - Statement +* - + - Statement - Guidance - Importance -* - Your TRE must record usage data. +* - 2.2.13 + - Your TRE must record usage data. - This may include the number of users, number of projects, the amount of data stored, number of datasets, the number of workspaces, etc. - Mandatory -* - Your TRE should record which datasets are accessed, when and by who. +* - 2.2.14 + - Your TRE should record which datasets are accessed, when and by who. - This helps maintain auditability of how sensitive data has been used. - Recommended -* - Your TRE should record computational resource usage at the user or aggregate level. +* - 2.2.15 + - Your TRE should record computational resource usage at the user or aggregate level. - This is useful for optimising allocation of resources, and managing costs. - Recommended ``` @@ -266,16 +307,20 @@ This requires development, installation, configuration, and validation. :header-rows: 1 :name: tab-infrastructure-capacity -* - Statement +* - + - Statement - Guidance - Importance -* - You must ensure that all projects understand what resources are available and what the associated costs will be before the project starts. +* - 2.3.1 + - You must ensure that all projects understand what resources are available and what the associated costs will be before the project starts. - For on-premises systems this might be related to the available hardware, for cloud-based systems there might be limits on how many instances of a particular resource (_e.g._ GPUs) can be used. Projects should use this information to understand whether the available resources will be sufficient for their requirements. - Mandatory -* - You should ensure that the anticipated needs of projects can be satisfied using available resources. +* - 2.3.2 + - You should ensure that the anticipated needs of projects can be satisfied using available resources. - Note that this does not require you to accept requests for additional resources, but rather that promises made about resource availability before a project starts should be honoured wherever possible. - Recommended -* - You must have a procedure for allocating available resources among projects. +* - 2.3.3 + - You must have a procedure for allocating available resources among projects. - For cloud-based TREs this may involve scaling resources, such as virtual machines or databases, or deploying additional resources. For on-premises TREs this may involve a procurement process to ensure that necessary resources are available. Not all requests for capacity increase must necessarily be granted, but having a clear process will help projects understand when/why/how they can make use of additional capacity. @@ -289,16 +334,18 @@ It involves calculation, issuance, and recording of payments and receipts. :header-rows: 1 :name: tab-infrastructure-billing -* - Statement +* - + - Statement - Guidance - Importance -* - You must ensure that the anticipated resource requirements will not result in overspending by the TRE. +* - 2.3.4 + - You must ensure that the anticipated resource requirements will not result in overspending by the TRE. - For cloud-based TREs this may involve budgeting and/or restricting resource consumption on a project-by-project basis. For on-premises TREs this may involve managing expectations to match the available resource. - Mandatory ``` -### Configuration management +## Configuration management **Configuration Management Process:** This {term}`business process ` involves the TRE operator identifying, maintaining, and verifying information on IT assets and configurations in the TRE organisation. @@ -306,28 +353,36 @@ It involves calculation, issuance, and recording of payments and receipts. :header-rows: 1 :name: tab-infrastructure-configuration -* - Statement +* - + - Statement - Guidance - Importance -* - You must have a documented procedure for configuring infrastructure. +* - 2.4.1 + - You must have a documented procedure for configuring infrastructure. - This might, for instance, be a handbook that is followed or a set of automated scripts. - Mandatory -* - You should use configuration management tools to automate application of your configuration wherever possible. +* - 2.4.2 + - You should use configuration management tools to automate application of your configuration wherever possible. - This might involve configuration-as-code tools such as Ansible, Chef, Puppet or Windows Desired State Configuration or simply automated scripts. - Recommended -* - You should be able to verify whether the configuration is valid. +* - 2.4.3 + - You should be able to verify whether the configuration is valid. - This might, for instance, involve running your configuration management tool in 'check' mode. - Recommended -* - You should regularly verify your TRE configuration. +* - 2.4.4 + - You should regularly verify your TRE configuration. - This will limit the amount of time the TRE can spend in a non-compliant state. - Recommended -* - You must be able to replace a non-compliant TRE with a compliant system. +* - 2.4.5 + - You must be able to replace a non-compliant TRE with a compliant system. - This might involve reconfiguring a running system or by replacing it with a compliant one. - Mandatory -* - You must have a process in place for applying security updates to all software that forms part of the TRE infrastructure. +* - 2.4.6 + - You must have a process in place for applying security updates to all software that forms part of the TRE infrastructure. - This includes any software used for remote desktop portals, databases, webapps, creating and destroying compute infrastructure, configuration management, or software used for monitoring the TRE. - Mandatory -* - You must also run regular anti-virus/malware scans on all TRE systems where infection could be a problem. +* - 2.4.7 + - You must also run regular anti-virus/malware scans on all TRE systems where infection could be a problem. - Virus and malware scans will help identify malicious code which may compromise the security, or correct operation, of the TRE. - Mandatory ``` diff --git a/docs/source/pillars/data_management.md b/docs/source/pillars/data_management.md index 9e8e7580..e381a04b 100644 --- a/docs/source/pillars/data_management.md +++ b/docs/source/pillars/data_management.md @@ -21,48 +21,59 @@ _The ability of the TRE operator to manage how and where data is stored, how it :header-rows: 1 :name: tab-data-lifecycle-management -* - Statement +* - + - Statement - Guidance - Importance -* - You must have processes in place to assess the legal and regulatory implications of handling the data through its full lifecycle. +* - 3.1.1 + - You must have processes in place to assess the legal and regulatory implications of handling the data through its full lifecycle. - This involves considering your obligations to data controllers and subjects, and whether any security controls may be legally or contractually required. An assessment of the risks involved will also be needed. It may involve classifying the project into a predefined sensitivity category or defining bespoke controls. - Mandatory -* - You should keep records of data handling decisions. +* - 3.1.2 + - You should keep records of data handling decisions. - Decisions that are made as part of the process discussed above should be recorded and made available for inspection by all stakeholders. - Recommended -* - You must have a data ingress process which enforces information governance rules/processes. +* - 3.1.3 + - You must have a data ingress process which enforces information governance rules/processes. - The data ingress process needs to ensure that information governance is correctly followed. In particular, it should require that an ingress request has been approved by all required parties. - Mandatory -* - You must have a data egress process which enforces information governance rules/processes. +* - 3.1.4 + - You must have a data egress process which enforces information governance rules/processes. - The data egress process needs to ensure that information governance requirements are adhered to. In particular, it should require that an egress request has been approved by all required parties. - Mandatory -* - Your data egress process could sometimes require project-independent approval. +* - 3.1.5 + - Your data egress process could sometimes require project-independent approval. - There may be cases where there are multiple stakeholders for a piece of analysis including data providers, data analysts, data subjects, the TRE operator. A data egress process may then require approval from people not on the project team, for example an external referee or TRE operator representative - Optional -* - You must keep a record of what data your TRE holds. +* - 3.1.6 + - You must keep a record of what data your TRE holds. - Good records are important for ensuring compliance with legislation, understanding risk and aiding good data hygiene. The record should include a description of the data, its source, contact details for the data owner, which projects use the data, the date it was received, when it is expected to no longer be needed. - Mandatory -* - You must have a policy on data deletion. +* - 3.1.7 + - You must have a policy on data deletion. - There should be a clear, published policy on when data will be retained or deleted. This may allow time for data owners to consider outputs they may want to extract from the TRE. Any sensitive data, including all backups, should be deleted when they are no longer needed. Having clear policies will help to avoid problems with data being kept longer than necessary or accidental deletion of outputs. - Mandatory -* - You could keep backups of data and research environments, provided that this is permitted by law. +* - 3.1.8 + - You could keep backups of data and research environments, provided that this is permitted by law. - Keeping backups could help reduce the impact of events like accidental deletion and data corruption on work in a TRE. TRE developers may want to consider how different elements such as sensitive input data or users' workspaces may be backed up, and whether they should be. - Optional -* - You should log how input data is modified. +* - 3.1.9 + - You should log how input data is modified. - If the input data is mutable a TRE should keep records of its modification. For example, when the data was modified and by who. - Recommended -* - You must, to a reasonable extent, prevent unauthorised data ingress or egress. +* - 3.1.10 + - You must, to a reasonable extent, prevent unauthorised data ingress or egress. - Movement of data which has not been subject to information governance processes risks breaking rules and is more likely to result in a data breach. However, it is difficult to control for every possibility. For example, a user may take pictures of their computer screen to remove data, or use a device presenting as a USB HID keyboard to input large amounts of text. @@ -78,30 +89,37 @@ _The ability of the TRE operator to ensure the right people (identities) can onl :header-rows: 1 :name: tab-identity-and-access-management -* - Statement +* - + - Statement - Guidance - Importance -* - You must not create user accounts for use by more than one person. +* - 3.2.1 + - You must not create user accounts for use by more than one person. - It is important that each user account should be used by one, and only one, person in order to facilitate the assignment of roles or permissions and to log the actions of individuals. - Mandatory -* - You must be reasonably convinced of the identity of each person being granted an account. +* - 3.2.2 + - You must be reasonably convinced of the identity of each person being granted an account. - It is important to ensure an account has been given to the correct person. For example, multiple credentials may be used before account creation to verify identity or, when appropriate, photo ID checks may be required. - Mandatory -* - You must restrict a user's access to only data required in their work. +* - 3.2.3 + - You must restrict a user's access to only data required in their work. - There is no need to grant an individual access to data they do not require. Access may be assigned in a manner appropriate to a TREs design, for example through roles granted to user accounts or through isolated project workspaces. - Mandatory -* - You must ensure that multi-factor authentication is enabled for all users. +* - 3.2.4 + - You must ensure that multi-factor authentication is enabled for all users. - Multi-factor authentication ensures that to successfully connect a user must have more than one piece of evidence in different categories. Categories include something the user knows (_e.g._ a password), something the user possesses (_e.g._ a TOTP key) or something the user is (_e.g._ biometric data). A TRE does not need to implement multi-factor authentication checks itself if it is provided by a third-party identity provider. - Mandatory -* - You could use federated authentication or single sign-on (SSO) for user login. +* - 3.2.5 + - You could use federated authentication or single sign-on (SSO) for user login. - Institutions that use a SSO for other applications may wish to extend this login capability to a TRE. This will simplify the login process for researchers using a TRE and prevent them having to remember or store multiple login credentials. - Optional -* - You could restrict access to particular networks or physical locations. +* - 3.2.6 + - You could restrict access to particular networks or physical locations. - Restricting access to a set of known, static, personal or institutional IP addresses can help avoid speculative attacks. When appropriate, access could also be restricted to physical locations with security controls and access requirements. - Optional @@ -115,15 +133,18 @@ _The ability of the TRE operator to ensure outputs are safely published and shar :header-rows: 1 :name: tab-output-management -* - Statement +* - + - Statement - Guidance - Importance -* - You should have a system to help classify outputs. +* - 3.3.1 + - You should have a system to help classify outputs. - Removing data from a TRE can be a difficult process as there is potential for sensitive data to be revealed. Having guidance, processes and methods will help ensure that outputs are correctly classified and, furthermore, that outputs due to be openly published are identified. Encouraging openly published outputs rather than handing all outputs to the data provider will enhance a TRE's impact. - Recommended -* - You should establish the intended outputs of each project from the outset. +* - 3.3.2 + - You should establish the intended outputs of each project from the outset. - Identifying the purpose of a piece of work is important for compliance with data protection legislation. Results will be produced which address the project's purpose, some of which may be outputs that are removed from the TRE. Understanding what these outputs are likely to be and their sensitivity as early as possible will help prepare for their processing and publication. @@ -140,10 +161,12 @@ _The ability to query and browse the data within an environment at various level :header-rows: 1 :name: tab-information-search-and-discovery -* - Statement +* - + - Statement - Guidance - Importance -* - You could make a catalogue of sensitive data that you make available to users. +* - 3.4.1 + - You could make a catalogue of sensitive data that you make available to users. - This is particularly relevant for TREs that are an interface to a common data collection. This may not be appropriate for TREs where each project has its own data sharing agreement with one or more data providers. - Optional @@ -173,21 +196,26 @@ These measures include vulnerability management of TRE infrastructure (whether p :header-rows: 1 :name: tab-vulnerability-management -* - Statement +* - + - Statement - Guidance - Importance -* - You should keep all TRE computing infrastructure up-to-date with security patches and antivirus (if appropriate). +* - 3.5.1 + - You should keep all TRE computing infrastructure up-to-date with security patches and antivirus (if appropriate). - This might involve scheduling regular automated scanning and application of updates. Infrastructure that is isolated from the internet or immutable in some way may not need to be updated. - Recommended -* - You should conduct regular vulnerability scans of TRE infrastructure. +* - 3.5.2 + - You should conduct regular vulnerability scans of TRE infrastructure. - Ensuring that scans are done on a regular basis can enable TRE operators can identify and address weaknesses that may have been introduced during the operational lifetime of the TRE. - Recommended -* - You should regularly check the compliance of machine and resource configurations. +* - 3.5.3 + - You should regularly check the compliance of machine and resource configurations. - This might involve automated "desired state" enforcement or manual checks. It might also include checks over what actions are possible, for example, whether or not certain network connections are allowed. - Recommended -* - Your TRE should adhere to one or more external security standards. +* - 3.5.4 + - Your TRE should adhere to one or more external security standards. - The TRE operator should identify appropriate security standards and best practices that it will adhere too. These should be stated to all stakeholders in advance of any data being brought in to the TRE. - Recommended @@ -201,22 +229,27 @@ These measures include vulnerability management of TRE infrastructure (whether p :header-rows: 1 :name: tab-security-testing -* - Statement +* - + - Statement - Guidance - Importance -* - You should carry out penetration tests on your TRE. +* - 3.5.5 + - You should carry out penetration tests on your TRE. - By intentionally attempting to breach their TRE, organisations can proactively discover unnoticed vulnerabilities before they are exploited maliciously. Tests can evaluate the effectiveness of security controls in preventing data breaches, unauthorised access, or other security incidents. - Recommended -* - You should update the security controls of your TRE based on the results of security tests. +* - 3.5.6 + - You should update the security controls of your TRE based on the results of security tests. - Security testing can reveal bugs and discrepancies in the TRE architecture which should be addressed in advance of sensitive data being uploaded, or with urgency in the case of an operational TRE. Regular testing will allow organisations to refine their TRE security controls and incident response capabilities. It enables them to adapt to any new security concerns that may arise as a result of changes in the underlying software. - Recommended -* - You must have procedures in place for rapid incident response. +* - 3.5.7 + - You must have procedures in place for rapid incident response. - There may be legal requirements to disclose details of any incidents, such as data breaches for organisations subject to GDPR. Having robust processes in place will ensure a swift and effective response when an incident occurs. - Mandatory -* - You should publish details of your security testing strategy and, where possible, the results of each test. +* - 3.5.8 + - You should publish details of your security testing strategy and, where possible, the results of each test. - Knowledge that regular security testing occurs will help to ensure stakeholders, including researchers and data providers, can trust that the data they work with or are responsible for is secure within a TRE. If security flaws are identified in a test, it may not be sensible to publicise these until a fix is in place. - Recommended @@ -232,26 +265,32 @@ Here we define 'project' data as the data brought in for work which is very like :header-rows: 1 :name: tab-encryption -* - Statement +* - + - Statement - Guidance - Importance -* - Your TRE must encrypt project and user data at rest. +* - 3.5.9 + - Your TRE must encrypt project and user data at rest. - This prevents unauthorised access to the data even if the storage media is compromised. This may involve encrypted filesystems or tools to encrypt and decrypt data on demand. The encryption keys may be managed by the TRE operator or by a trusted external actor, for example a cloud provider. - Mandatory -* - Your TRE must encrypt data when in transit between the TRE and external networks or computers. +* - 3.5.10 + - Your TRE must encrypt data when in transit between the TRE and external networks or computers. - Data encryption must be used to safeguard against interception or tampering during transmission. This includes both data ingress and egress and users accessing the TRE, for example over a remote desktop or shell session. - Mandatory -* - Your TRE should encrypt data when in transit inside the TRE. +* - 3.5.11 + - Your TRE should encrypt data when in transit inside the TRE. - If possible, data transfers between different components of a TRE should also be encrypted. - Recommended -* - You should use the latest stable version of any software you use for encryption. +* - 3.5.12 + - You should use the latest stable version of any software you use for encryption. - The latest security patches and updates should be applied to any encryption software being used by the TRE. This helps address any known vulnerabilities or weaknesses in the encryption implementation. - Recommended -* - Your TRE should use secure key management. +* - 3.5.13 + - Your TRE should use secure key management. - TREs should employ secure key management practices, including storing encryption keys separately from the encrypted data and implementing strong access controls (_e.g._ Single Sign On) for key management systems. - Recommended ``` @@ -266,14 +305,17 @@ Physical security controls can provide TREs using highly sensitive data an extra :header-rows: 1 :name: tab-physical-security -* - Statement +* - + - Statement - Guidance - Importance -* - Your TRE could offer physical protection measures against data leakage or theft via physical means. +* - 3.5.14 + - Your TRE could offer physical protection measures against data leakage or theft via physical means. - Restricting access to research facilities containing computers logged into TREs can help prevent malicious actors from viewing or stealing sensitive data, for example by photographing a computer screen. Physical controls on access to a TRE could include surveillance systems, restricting physical access to authorised personnel only, visitor management systems and employee training. - Optional -* - Your TRE may need to comply with specific regulatory requirements if it is hosting particularly sensitive data. +* - 3.5.15 + - Your TRE may need to comply with specific regulatory requirements if it is hosting particularly sensitive data. - Regulatory frameworks such as GDPR emphasise the need for physical security controls to protect sensitive data. Compliance with these regulations could require organisations to implement specific physical security measures to safeguard their TRE from unauthorised access. - Optional @@ -293,18 +335,22 @@ Throughout the rest of this document, we will refer to each pre-defined security :header-rows: 1 :name: tab-security-level -* - Statement +* - + - Statement - Guidance - Importance -* - You must be able to specify what categories of data your TRE is able to support. +* - 3.6.1 + - You must be able to specify what categories of data your TRE is able to support. - Your TRE must provide an explanation of the kinds of data it has been designed to hold, with reference to its security capabilities, that can be understood by all stakeholders. Relevant stakeholders may include data providers and project teams and they may have different levels of technical expertise. - Mandatory -* - Your TRE could support projects with differing security requirements through configurable security controls. +* - 3.6.2 + - Your TRE could support projects with differing security requirements through configurable security controls. - This allows projects with different security requirements to each be met with a suitable level of controls. It helps ensure that users can work effectively, with minimal barriers. - Optional -* - Your TRE could offer a pre-defined set of security control tiers. +* - 3.6.3 + - Your TRE could offer a pre-defined set of security control tiers. - Security control tiers can be designed to cover the types of project or data you expect to handle. Projects may be placed into the most suitable tier rather than having a bespoke design. This reduces the number of unique configurations that need to be supported. diff --git a/docs/source/pillars/information_governance.md b/docs/source/pillars/information_governance.md index a1ad559e..655290dd 100644 --- a/docs/source/pillars/information_governance.md +++ b/docs/source/pillars/information_governance.md @@ -23,10 +23,12 @@ For example, some requirements will arise from national legislation such as GDPR :header-rows: 1 :name: tab-ig-requirements-gathering-monitoring -* - Statement +* - + - Statement - Guidance - Importance -* - You must gather and monitor the information governance requirements needed to fulfil the legal and ethical standards to protect data subjects and deliver valuable research. +* - 1.1.1 + - You must gather and monitor the information governance requirements needed to fulfil the legal and ethical standards to protect data subjects and deliver valuable research. - Requirements will come from a variety of sources including legislation, contractual obligations and ethical standards. Requirements must be monitored to ensure the TRE controls continue to match such requirements. New types of analysis or sources of data being brought into the scope of the TRE should be monitored to ensure requirements are current. @@ -39,10 +41,12 @@ For example, some requirements will arise from national legislation such as GDPR :header-rows: 1 :name: tab-ig-controls -* - Statement +* - + - Statement - Guidance - Importance -* - You must ensure controls are implemented to ensure the requirements are met. +* - 1.1.2 + - You must ensure controls are implemented to ensure the requirements are met. - Control implementation should be systematic and directly aligned to the internal and stakeholder requirements. - Mandatory ``` @@ -53,10 +57,12 @@ For example, some requirements will arise from national legislation such as GDPR :header-rows: 1 :name: tab-ig-resource-allocation -* - Statement +* - + - Statement - Guidance - Importance -* - You must ensure there are adequate resources to provide assurance and meet information governance requirements. +* - 1.1.3 + - You must ensure there are adequate resources to provide assurance and meet information governance requirements. - There should be adequate access to funding to implement and maintain the TRE which is under the direct control of the TRE organisation. - Mandatory ``` @@ -71,13 +77,16 @@ What the organisation does to measure and control quality of processes, document :header-rows: 1 :name: tab-ig-document-management -* - Statement +* - + - Statement - Guidance - Importance -* - You must ensure all policies and standard operating procedures relevant to the TRE organisation are controlled. +* - 1.2.1 + - You must ensure all policies and standard operating procedures relevant to the TRE organisation are controlled. - This may include measures like restricting edit access to relevant documents and/or recording acceptance of policies. - Mandatory -* - You must ensure all policies and standard operating procedures relevant to the TRE organisation are version controlled and have codified change processes. +* - 1.2.2 + - You must ensure all policies and standard operating procedures relevant to the TRE organisation are version controlled and have codified change processes. - Version control includes recording dates of changes, person responsible for carrying out changes, and summary of changes. - Mandatory ``` @@ -88,10 +97,12 @@ What the organisation does to measure and control quality of processes, document :header-rows: 1 :name: tab-ig-quality-management -* - Statement +* - + - Statement - Guidance - Importance -* - You must measure the performance of information governance within the TRE with regular reporting available to your TRE organisation's management team. +* - 1.2.3 + - You must measure the performance of information governance within the TRE with regular reporting available to your TRE organisation's management team. - This may include reports and dashboards showing security incidents, quality management deviations and audit findings. - Mandatory ``` @@ -102,13 +113,16 @@ What the organisation does to measure and control quality of processes, document :header-rows: 1 :name: tab-ig-internal-audit -* - Statement +* - + - Statement - Guidance - Importance -* - You must audit your TRE organisation against relevant requirements and standards +* - 1.2.4 + - You must audit your TRE organisation against relevant requirements and standards - If you are publicly accredited against a standard, for instance ISO27001, DSPT, CE+ etc., you must have processes in place to ensure you remain compliant. - Mandatory -* - You must report on and share outcomes of each audit of your TRE organisation with the required bodies. +* - 1.2.5 + - You must report on and share outcomes of each audit of your TRE organisation with the required bodies. - This may include regulatory bodies or the organisations that manage accreditations you have - Mandatory ``` @@ -119,14 +133,17 @@ What the organisation does to measure and control quality of processes, document :header-rows: 1 :name: tab-ig-supplier-management-monitoring -* - Statement +* - + - Statement - Guidance - Importance -* - You must ensure that suppliers, contractors and sub-contractors with access to your TRE align with your security requirements. +* - 1.2.6 + - You must ensure that suppliers, contractors and sub-contractors with access to your TRE align with your security requirements. - These should be included as mandatory, non-functional requirements in during procurement and contracting. This will also include contractor staff contracts for example, legal liability and NDAs. - Mandatory -* - You must monitor compliance of your suppliers with the terms of the contracts. +* - 1.2.7 + - You must monitor compliance of your suppliers with the terms of the contracts. - This will include monitoring changes in the services and infrastructure being delivered and quality management within the contractor’s organisation. This may be done through formal audit or by monitoring change and quality documentation provided by the supplier. - Mandatory @@ -138,10 +155,12 @@ What the organisation does to measure and control quality of processes, document :header-rows: 1 :name: tab-ig-asset-management-process -* - Statement +* - + - Statement - Guidance - Importance -* - You must track and maintain any physical assets used by your TRE. +* - 1.2.8 + - You must track and maintain any physical assets used by your TRE. - All physical assets should be maintained and covered by warranty if applicable At the end of their lifetime, assets should be securely disposed of in such a way that data cannot be recovered from them. - Mandatory (where physical assets are in scope) @@ -153,13 +172,16 @@ What the organisation does to measure and control quality of processes, document :header-rows: 1 :name: tab-ig-issue-management-process -* - Statement +* - + - Statement - Guidance - Importance -* - You must log, track and resolve any issues resulting from deviations from processes, incidents and audit findings. +* - 1.2.9 + - You must log, track and resolve any issues resulting from deviations from processes, incidents and audit findings. - This process could, for example, be tracked through an electronic record and workflow system with records retained. - Mandatory -* - You must use reported issues to inform changes, such as for process improvement and risk management. +* - 1.2.10 + - You must use reported issues to inform changes, such as for process improvement and risk management. - All issues should be analysed for their route cause and improvements put in place to prevent further occurrence. - Mandatory ``` @@ -170,10 +192,12 @@ What the organisation does to measure and control quality of processes, document :header-rows: 1 :name: tab-ig-quality-management-data -* - Statement +* - + - Statement - Guidance - Importance -* - You should collect and maintain quality management data for measuring the effectiveness of a TRE. +* - 1.2.11 + - You should collect and maintain quality management data for measuring the effectiveness of a TRE. - Large amounts of data will be produced by elements within the TRE. These data should be analysed with reports and dashboards provided to guide TRE implementer’s improvements and provide re-assurance to data consumers and subjects. - Recommended @@ -185,10 +209,12 @@ What the organisation does to measure and control quality of processes, document :header-rows: 1 :name: tab-ig-quality-management-system-application -* - Statement +* - + - Statement - Guidance - Importance -* - You could use a QMS (Quality Management System) to standardise and automate quality management tasks and workflows, and to generate quality data and reports automatically. +* - 1.2.12 + - You could use a QMS (Quality Management System) to standardise and automate quality management tasks and workflows, and to generate quality data and reports automatically. - A basis QMS could be a set of spreadsheets or documents held in a repository which are manually maintained. More mature applications will provide workflows and generate quality data through manual and automated actions. - Optional @@ -204,13 +230,16 @@ What the organisation does to ensure information risk is measured and managed to :header-rows: 1 :name: tab-ig-risk-assessment -* - Statement +* - + - Statement - Guidance - Importance -* - You must have a way to score risk to understand the underlying severity. +* - 1.3.1 + - You must have a way to score risk to understand the underlying severity. - You have a risk assessment methodology for scoring risks on multiple axes such as impact and likelihood. - Mandatory -* - You must carry out a data processing assessment for all projects requiring a TRE. +* - 1.3.2 + - You must carry out a data processing assessment for all projects requiring a TRE. - A data processing assessment is a process designed to identify risks arising out of the processing of sensitive data and to minimise these risks as far and as early as possible. This may take the form of an existing regulatory requirements such as Data Protection Impact Assessment. - Mandatory ``` @@ -221,10 +250,12 @@ What the organisation does to ensure information risk is measured and managed to :header-rows: 1 :name: tab-ig-risk-treatment -* - Statement +* - + - Statement - Guidance - Importance -* - You must have a process for designing, implementing and recording risk mitigations where indicated by a risk assessment. +* - 1.3.3 + - You must have a process for designing, implementing and recording risk mitigations where indicated by a risk assessment. - Actions that are taken or not taken following a risk assessment must be recorded. - Mandatory ``` @@ -235,14 +266,17 @@ What the organisation does to ensure information risk is measured and managed to :header-rows: 1 :name: tab-ig-risk-ownership -* - Statement +* - + - Statement - Guidance - Importance -* - You must have a clear set of roles and responsibilities relating to risk including who owns risks and how they are escalated and delegated. +* - 1.3.4 + - You must have a clear set of roles and responsibilities relating to risk including who owns risks and how they are escalated and delegated. - The highest level of risk ownership is the top management of the TRE organisation. In order to ensure escalations to this level are rare, suitable structures should be put in place to own, mitigate and accept risk. - Mandatory -* - You must understand your organisational risk appetite. +* - 1.3.5 + - You must understand your organisational risk appetite. - This includes understanding ownership of risk, and ability to accept risk which falls outside of the appetite should that become necessary. - Mandatory ``` @@ -257,10 +291,12 @@ What the organisation does to create and maintain research projects and work pac :header-rows: 1 :name: tab-ig-study-onboarding -* - Statement +* - + - Statement - Guidance - Importance -* - You must have checks in place to ensure a project has the legal, financial and ethical requirements in place for the duration of the project. +* - 1.4.1 + - You must have checks in place to ensure a project has the legal, financial and ethical requirements in place for the duration of the project. - This includes checks that contracts are in place where required, adequate funding is available for the duration of the project, and responsibilities concerning data ownership are understood by all parties. - Mandatory ``` @@ -271,14 +307,17 @@ What the organisation does to create and maintain research projects and work pac :header-rows: 1 :name: tab-ig-compliance-checking -* - Statement +* - + - Statement - Guidance - Importance -* - You must have checks in place to ensure that any time limited compliance requirements are maintained. +* - 1.4.2 + - You must have checks in place to ensure that any time limited compliance requirements are maintained. - This includes ensuring contracts remain in valid and action is promptly taken should they expire. Any changes in the status of responsible persons should also be monitored, for example a data owner leaving an organisation. - Mandatory -* - You must have checks in place to ensure that changes in regulations are met for a project. +* - 1.4.3 + - You must have checks in place to ensure that changes in regulations are met for a project. - - Mandatory ``` @@ -289,10 +328,12 @@ What the organisation does to create and maintain research projects and work pac :header-rows: 1 :name: tab-ig-study-closure -* - Statement +* - + - Statement - Guidance - Importance -* - You must have standard processes in place for the end of a project, that follow all legal requirements and data security best practice. +* - 1.4.4 + - You must have standard processes in place for the end of a project, that follow all legal requirements and data security best practice. - This includes the archiving of quality and log data along with the archiving or deletion of data sets. - Mandatory ``` @@ -303,10 +344,12 @@ What the organisation does to create and maintain research projects and work pac :header-rows: 1 :name: tab-ig-study-management-portal -* - Statement +* - + - Statement - Guidance - Importance -* - You could implement a portal that can provide a workflow engine and database which automates the processes within this capability. +* - 1.4.5 + - You could implement a portal that can provide a workflow engine and database which automates the processes within this capability. - A portal should automate as much of the processes within the capability as possible. Where processes are automated process maturity is easier to achieve with processes being completed more consistently and producing quality control and monitoring data automatically - Optional @@ -318,10 +361,12 @@ What the organisation does to create and maintain research projects and work pac :header-rows: 1 :name: tab-ig-data-asset-register -* - Statement +* - + - Statement - Guidance - Importance -* - You must keep a complete record of all the data assets held within the system. +* - 1.4.6 + - You must keep a complete record of all the data assets held within the system. - Details of all data assets (current and past) held by the system should be retained along with meta-data useful for ensuring compliance can be demonstrated. This would include ownership, data lifecycle, contracts, risk assessments and other quality data. This is likely to already exist within the wider organisation but may require augmenting for the TRE. @@ -334,10 +379,12 @@ What the organisation does to create and maintain research projects and work pac :header-rows: 1 :name: tab-ig-study-register -* - Statement +* - + - Statement - Guidance - Importance -* - You should keep a complete record of all the research studies and projects within the TRE current and past. +* - 1.4.7 + - You should keep a complete record of all the research studies and projects within the TRE current and past. - The study register should contain all data related to a study including a reference to data assets, members (researchers, owners etc.) and any compliance activities required. - Recommended ``` @@ -352,10 +399,12 @@ Ability to ensure that people with access to data are correctly identified and t :header-rows: 1 :name: tab-ig-identity-verification -* - Statement +* - + - Statement - Guidance - Importance -* - You must have a robust method for identifying accredited members of your TRE organisation, prior to their accessing of sensitive data. +* - 1.5.1 + - You must have a robust method for identifying accredited members of your TRE organisation, prior to their accessing of sensitive data. - This may include multi-factor authentication (MFA), ID checks or email/phone verification. - Mandatory ``` @@ -366,10 +415,12 @@ Ability to ensure that people with access to data are correctly identified and t :header-rows: 1 :name: tab-ig-user-onboarding -* - Statement +* - + - Statement - Guidance - Importance -* - You must have clear onboarding processes in place for all roles within your TRE organisation. +* - 1.5.2 + - You must have clear onboarding processes in place for all roles within your TRE organisation. - This may include all members signing role-specific terms of use and completing role specific training. - Mandatory ``` @@ -380,13 +431,16 @@ Ability to ensure that people with access to data are correctly identified and t :header-rows: 1 :name: tab-ig-identity-access-management-services -* - Statement +* - + - Statement - Guidance - Importance -* - You must have a set of services to manage access to resources based on identity. +* - 1.5.3 + - You must have a set of services to manage access to resources based on identity. - This will include a security model for role based access with technical controls to ensure the principle of least privilege is enforced. - Mandatory -* - You must not give anyone access to datasets without agreement from the Data Controller. +* - 1.5.4 + - You must not give anyone access to datasets without agreement from the Data Controller. - The Data Controller may choose to delegate this authority. - Mandatory ``` @@ -397,10 +451,12 @@ Ability to ensure that people with access to data are correctly identified and t :header-rows: 1 :name: tab-ig-authentication-application -* - Statement +* - + - Statement - Guidance - Importance -* - You must have robust and secure applications in place to authenticate users (and services) within the TRE. +* - 1.5.5 + - You must have robust and secure applications in place to authenticate users (and services) within the TRE. - The number of authentication applications should be kept to a minimum with common controls and standards applied across all such as MFA, password complexity etc. - Mandatory ``` @@ -411,10 +467,12 @@ Ability to ensure that people with access to data are correctly identified and t :header-rows: 1 :name: tab-ig-user-identity-attributes -* - Statement +* - + - Statement - Guidance - Importance -* - You must give each user of the TRE a unique logon with changes to any records strictly controlled. +* - 1.5.6 + - You must give each user of the TRE a unique logon with changes to any records strictly controlled. - The unique identifier and all associated records for a user should be traceable across the entire TRE. This will include training records, affiliations, contract agreements and ethics approvals where required. - Mandatory @@ -430,19 +488,23 @@ Ability to deliver, track and maintain adequate training levels to ensure compet :header-rows: 1 :name: tab-ig-curriculum-creation-management -* - Statement +* - + - Statement - Guidance - Importance -* - You must ensure that relevant training is available for all roles within the TRE organisation. +* - 1.5.7 + - You must ensure that relevant training is available for all roles within the TRE organisation. - This may include, for instance, cyber security training, GDPR training, and higher level training for system operators. Specialised roles are likely to need more tailored training. Identification of these specialities should be done through a systematic training needs analysis. Specific training may also be required based on the data or data provider such as GCP. - Mandatory -* - You could have a training platform capable of delivering online training in a variety of formats. +* - 1.5.8 + - You could have a training platform capable of delivering online training in a variety of formats. - This could include competency testing and more simple recording of actions such as read and understood. - Optional -* - You must provide repeat or updated training where necessary to account for changes in competency requirements. +* - 1.5.9 + - You must provide repeat or updated training where necessary to account for changes in competency requirements. - Training is not a one-off event. Electronic reminders for refresher training should be considered. Ideally training should remain relevant and so policies and processes should enable people to demonstrate competency rather than repeat training unnecessarily. @@ -455,13 +517,16 @@ Ability to deliver, track and maintain adequate training levels to ensure compet :header-rows: 1 :name: tab-ig-certification-management -* - Statement +* - + - Statement - Guidance - Importance -* - You must maintain accurate training records that are directly tied to the role and access levels within the TRE. +* - 1.5.10 + - You must maintain accurate training records that are directly tied to the role and access levels within the TRE. - Training records should be tied to a user record and carefully maintained. - Mandatory -* - You should accept proof of relevant training certifications from third parties. +* - 1.5.11 + - You should accept proof of relevant training certifications from third parties. - This should include competency testing and more simple recording of actions such as read and understood. - Recommended ``` @@ -472,10 +537,12 @@ Ability to deliver, track and maintain adequate training levels to ensure compet :header-rows: 1 :name: tab-ig-learning-management-system -* - Statement +* - + - Statement - Guidance - Importance -* - You could implement an LMS to manage courses and deliver training as required. +* - 1.5.12 + - You could implement an LMS to manage courses and deliver training as required. - Where possible an LMS should support a variety of course content and testing. - Optional ``` @@ -486,13 +553,16 @@ Ability to deliver, track and maintain adequate training levels to ensure compet :header-rows: 1 :name: tab-ig-courses-data -* - Statement +* - + - Statement - Guidance - Importance -* - You could ensure course data is transferable between systems where possible. +* - 1.5.13 + - You could ensure course data is transferable between systems where possible. - Support for standard formats such as SCORM allows courses to be shared between providers. - Optional -* - You could keep historical copies of courses in order to demonstrate competency at a given point in time. +* - 1.5.14 + - You could keep historical copies of courses in order to demonstrate competency at a given point in time. - Data providers and regulators may be required to audit historical records (EG. Clinical trials) it may be necessary to retain copies of superseded training along with versions of certifications within the training record. - Optional ``` diff --git a/docs/source/pillars/supporting.md b/docs/source/pillars/supporting.md index f8b9ede3..78c0c497 100644 --- a/docs/source/pillars/supporting.md +++ b/docs/source/pillars/supporting.md @@ -19,13 +19,16 @@ What the TRE operator does to ensure the development, testing, and maintenance o :header-rows: 1 :name: tab-business-continuity-subject -* - Statement +* - + - Statement - Guidance - Importance -* - You should have a business continuity plan that includes consideration of loss of service for deployed TREs. +* - 4.1.1 + - You should have a business continuity plan that includes consideration of loss of service for deployed TREs. - This may be due to downtime from service providers, a breach, or loss of power. Your plan should detail your process for managing loss of service for deployed TREs, and evaluation of impact of such loss. - Recommended -* - You should regularly test the aspects of your business continuity plan concerning TREs, and have a process in place to iterate the plan if required. +* - 4.1.2 + - You should regularly test the aspects of your business continuity plan concerning TREs, and have a process in place to iterate the plan if required. - - Recommended ``` @@ -38,14 +41,17 @@ What the TRE operator does to ensure effective management of programmes and proj :header-rows: 1 :name: tab-project-programme-management -* - Statement +* - + - Statement - Guidance - Importance -* - You should ensure that all projects using your TRE have a named project manager. +* - 4.2.1 + - You should ensure that all projects using your TRE have a named project manager. - The project manager has responsibility to ensure the smooth running of the project. Their responsibilities may include budget management, tracking TRE status, managing communications with the TRE operations team, and other project support tasks. - Recommended -* - You should not give project managers direct access to the TRE. +* - 4.2.2 + - You should not give project managers direct access to the TRE. - Doing so ensures a separation between those able to access sensitive data, and those overseeing access to sensitive data. - Recommended ``` @@ -58,16 +64,20 @@ What the TRE operator does to acquire, enrich, share, store, publish and enhance :header-rows: 1 :name: tab-knowledge-management -* - Statement +* - + - Statement - Guidance - Importance -* - You must document all features of your TRE implementation. +* - 4.3.1 + - You must document all features of your TRE implementation. - This includes ensuring all documentation is discoverable, clear, and able to be easily updated based on stakeholder feedback - Mandatory -* - You should have an education programme in place to upskill stakeholders in the use and management of your TRE. +* - 4.3.2 + - You should have an education programme in place to upskill stakeholders in the use and management of your TRE. - This may include learning modules, workshops and other resources on how to effectively access and use a TRE, FAQ pages, and accessible pathways for additional support - Recommended -* - You should periodically carry out a training needs analysis (TNA) for all stakeholders included within your TRE provision. +* - 4.3.3 + - You should periodically carry out a training needs analysis (TNA) for all stakeholders included within your TRE provision. - At least once every 12 months you should assess the training needs of your stakeholders, and ensure they have easy access to all required training materials - Recommended ``` @@ -80,20 +90,25 @@ All activities aimed at the efficient and effective management of money (funds) :header-rows: 1 :name: tab-financial-management -* - Statement +* - + - Statement - Guidance - Importance -* - You must ensure that all projects using your TRE are aware of any associated costs and are able and willing to pay them. +* - 4.4.1 + - You must ensure that all projects using your TRE are aware of any associated costs and are able and willing to pay them. - Costs may include provision of the underlying TRE infrastructure, additional resources required in a specific TRE (for instance memory or additional compute), hardware including managed devices, and staff support costs - Mandatory -* - You should be able to track the costs associated with each TRE project. +* - 4.4.2 + - You should be able to track the costs associated with each TRE project. - This includes knowing which costs are associated with which project, and having an appropriate charging mechanism in place in line with your organisational policy. - Recommended -* - You should have a process in place to ensure your TRE provision remains financially sustainable. +* - 4.4.3 + - You should have a process in place to ensure your TRE provision remains financially sustainable. - This could include having a cost recovery process in place, or setting up a long-term funding mechanism to support projects with TREs. At any given time, you should have funds free to cover all potential foreseen TRE provision for at least 12 months. - Recommended -* - You should minimise the cost of your TRE infrastructure wherever possible +* - 4.4.4 + - You should minimise the cost of your TRE infrastructure wherever possible - You should have regular reviews of your TRE provision and actively work to bring down costs, streamline provision, and optimise support. - Recommended ``` @@ -106,10 +121,12 @@ What the TRE operator does to ensure the effective sourcing, purchasing and supp :header-rows: 1 :name: tab-procurement -* - Statement +* - + - Statement - Guidance - Importance -* - You must identify any goods or services that will be needed to operate the TRE and ensure that a plan is in place to purchase them as needed. +* - 4.5.1 + - You must identify any goods or services that will be needed to operate the TRE and ensure that a plan is in place to purchase them as needed. - These may include computing hardware, cloud credits or devices through which users access the TRE. - Mandatory ``` @@ -122,10 +139,12 @@ The implementation and management of quality IT services that meet the needs of :header-rows: 1 :name: tab-it-service-management -* - Statement +* - + - Statement - Guidance - Importance -* - You TRE must have a team in place to support projects working with TREs. +* - 4.6.1 + - You TRE must have a team in place to support projects working with TREs. - This may be part of your organisation's IT support team, or separate. Responsibility should be clear and stakeholders should easily be able to access support appropriate to their needs. - Mandatory @@ -141,10 +160,12 @@ All activities aimed at ensuring a continuous level of engagement is maintained :header-rows: 1 :name: tab-relationship-stakeholder -* - Statement +* - + - Statement - Guidance - Importance -* - You should have a clear process in place for stakeholders to feedback on your TRE infrastructure. +* - 4.7.1 + - You should have a clear process in place for stakeholders to feedback on your TRE infrastructure. - This may include a GitHub repository where people can open issues and discussions, communication streams like Slack or email, or forms stakeholders can fill in. - Recommended ``` @@ -167,17 +188,21 @@ Rationale: ```{list-table} :header-rows: 1 :name: tab-supporting-pie -* - Statement +* - + - Statement - Guidance - Importance -* - You should ensure that all public engagement activities are representative and inclusive. +* - 4.8.1 + - You should ensure that all public engagement activities are representative and inclusive. - Any public engagement activity carried out by TREs should make sure they are involving a representative sample where possible and that activities are accessible and open. This could include following guidelines such as [PEDRI](https://www.pedri.org.uk/). - Recommended -* - You could publicly share the details of any projects which use the TRE. +* - 4.8.2 + - You could publicly share the details of any projects which use the TRE. - This may be via the TRE website or annual reports. - Optional -* - You could include members of the public in your approvals process. +* - 4.8.3 + - You could include members of the public in your approvals process. - This may be carried out via a separate public panel or by including members of the public on an approvals panel. - Optional ``` @@ -194,10 +219,12 @@ The ability of the TRE operator to access suitable and timely legal advice. :header-rows: 1 :name: tab-legal-services -* - Statement +* - + - Statement - Guidance - Importance -* - You should have identify areas where legal advice may be required and ensure that you have ready access to it. +* - 4.9.1 + - You should have identify areas where legal advice may be required and ensure that you have ready access to it. - It is likely that legal advice will be necessary for several issues around the handling of sensitive data, and managing project contracts. TRE operators should have ready access to legal advice, including a way to solicit advice and carry out associated actions. - Recommended @@ -209,10 +236,12 @@ The ability of the TRE operator to access suitable and timely legal advice. :header-rows: 1 :name: tab-legal-dp -* - Statement +* - + - Statement - Guidance - Importance -* - You should identify areas where legal advice may be required and ensure that you have ready access to it. +* - 4.9.2 + - You should identify areas where legal advice may be required and ensure that you have ready access to it. - It is likely that data protection advice will be necessary for several issues around the handling of sensitive data. - Recommended ``` @@ -223,10 +252,12 @@ The ability of the TRE operator to access suitable and timely legal advice. :header-rows: 1 :name: tab-legal-cm -* - Statement +* - + - Statement - Guidance - Importance -* - You should identify who will be responsible for managing contracts related to the TRE. +* - 4.9.3 + - You should identify who will be responsible for managing contracts related to the TRE. - These contracts may include data sharing agreements, secondments of personnel or limitations on how results obtained with the data can be distributed. - Recommended ``` From d2a0f68ff1406806bc3f1de51dc3ed3d327e01aa Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Thu, 10 Aug 2023 12:54:31 +0100 Subject: [PATCH 4/5] Limit heading numbering in specification toctree --- docs/source/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/index.md b/docs/source/index.md index 2f41d5c2..bb33a22d 100644 --- a/docs/source/index.md +++ b/docs/source/index.md @@ -10,7 +10,7 @@ roles.md ```{toctree} :hidden: -:numbered: +:numbered: 2 :caption: Specification pillars/information_governance.md From a56c3ef829a122664ed70f766a93f96c06c8e694 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Thu, 10 Aug 2023 13:16:07 +0100 Subject: [PATCH 5/5] :wrench: Switch to headings --- docs/source/pillars/computing_technology.md | 52 ++++++-- docs/source/pillars/data_management.md | 26 ++-- docs/source/pillars/information_governance.md | 116 +++++++++++++----- docs/source/pillars/supporting.md | 16 ++- 4 files changed, 155 insertions(+), 55 deletions(-) diff --git a/docs/source/pillars/computing_technology.md b/docs/source/pillars/computing_technology.md index 273d4598..629b57a3 100644 --- a/docs/source/pillars/computing_technology.md +++ b/docs/source/pillars/computing_technology.md @@ -23,7 +23,9 @@ The required compute resources will vary according to the scale of data and comp The ability of the TRE operator to provide and manage devices, workspaces, interfaces and applications used by researchers to interact with underlying systems and data. -**End user computing interfaces:** This group of {term}`application components ` is a collection of systems and software that allows people to interact with the TRE. +### End user computing interfaces + +This group of {term}`application components ` is a collection of systems and software that allows people to interact with the TRE. This may include desktop, command-line and/or code-submission interfaces. ```{list-table} @@ -51,7 +53,9 @@ This may include desktop, command-line and/or code-submission interfaces. - Optional ``` -**Software tools:** This {term}`application component ` is the tools used by researchers inside a TRE, such as programming languages, IDEs and desktop applications. +### Software tools + +This {term}`application component ` is the tools used by researchers inside a TRE, such as programming languages, IDEs and desktop applications. ```{list-table} :header-rows: 1 @@ -93,7 +97,9 @@ This may include desktop, command-line and/or code-submission interfaces. - Mandatory ``` -**Code Version Control System:** This {term}`application component ` is the systems and tools providing version control and collaboration features for code developed inside the TRE. +### Code Version Control System + +This {term}`application component ` is the systems and tools providing version control and collaboration features for code developed inside the TRE. ```{list-table} :header-rows: 1 @@ -110,7 +116,9 @@ This may include desktop, command-line and/or code-submission interfaces. - Recommended ``` -**Artefact Management Application:** This {term}`application component ` is a service that manages and organises third-party software artefacts such as packaged code libraries or containers. +### Artefact Management Application + +This {term}`application component ` is a service that manages and organises third-party software artefacts such as packaged code libraries or containers. ```{list-table} :header-rows: 1 @@ -131,7 +139,9 @@ This may include desktop, command-line and/or code-submission interfaces. - Optional ``` -**Advanced or Cluster Computing System:** This {term}`application component ` involves the use of advanced, powerful computer resources to solve complex problems and process large amounts of data, possibly using specialised hardware. +### Advanced or Cluster Computing System + +This {term}`application component ` involves the use of advanced, powerful computer resources to solve complex problems and process large amounts of data, possibly using specialised hardware. ```{list-table} :header-rows: 1 @@ -174,7 +184,9 @@ This may include desktop, command-line and/or code-submission interfaces. The ability of the TRE operator to deploy, change or remove physical or virtual infrastructure. -**Infrastructure Deployment Process:** This {term}`business process ` involves setting up and configuring infrastructure components and resources to support applications or services. +### Infrastructure Deployment Process + +This {term}`business process ` involves setting up and configuring infrastructure components and resources to support applications or services. This requires development, installation, configuration, and validation. ```{list-table} @@ -209,7 +221,9 @@ This requires development, installation, configuration, and validation. - Recommended ``` -**Infrastructure Removal Process:** This {term}`business process ` involves retiring or removing infrastructure assets that are no longer needed or outdated, ensuring proper data handling and disposal. +### Infrastructure Removal Process + +This {term}`business process ` involves retiring or removing infrastructure assets that are no longer needed or outdated, ensuring proper data handling and disposal. ```{list-table} :header-rows: 1 @@ -225,7 +239,9 @@ This requires development, installation, configuration, and validation. - Mandatory ``` -**Availability Management Process:** This {term}`business process ` involves ensuring all IT infrastructure meets the agreed levels of availability. +### Availability Management Process + +This {term}`business process ` involves ensuring all IT infrastructure meets the agreed levels of availability. ```{list-table} :header-rows: 1 @@ -246,7 +262,9 @@ This requires development, installation, configuration, and validation. - Recommended ``` -**Network Management Application:** This {term}`application component ` is an application used to manage network infrastructure, ensuring proper functioning, security, and performance. +### Network Management Application + +This {term}`application component ` is an application used to manage network infrastructure, ensuring proper functioning, security, and performance. ```{list-table} :header-rows: 1 @@ -275,7 +293,9 @@ This requires development, installation, configuration, and validation. - Mandatory ``` -**Infrastructure analytics application:** This {term}`application component ` is an application which enables the TRE operator to record and analyse data about the usage of the TRE. +### Infrastructure analytics application + +This {term}`application component ` is an application which enables the TRE operator to record and analyse data about the usage of the TRE. ```{list-table} :header-rows: 1 @@ -301,7 +321,9 @@ This requires development, installation, configuration, and validation. ## Capacity management -**Capacity Planning Process:** This {term}`business process ` involves forecasting and determining the resources required to meet the demands of an application or system, ensuring that adequate resources are available when needed. +### Capacity Planning Process + +This {term}`business process ` involves forecasting and determining the resources required to meet the demands of an application or system, ensuring that adequate resources are available when needed. ```{list-table} :header-rows: 1 @@ -327,7 +349,9 @@ This requires development, installation, configuration, and validation. - Mandatory ``` -**Billing Process:** This {term}`business process ` involves generating and managing invoices and bills for projects within the TRE. +### Billing Process + +This {term}`business process ` involves generating and managing invoices and bills for projects within the TRE. It involves calculation, issuance, and recording of payments and receipts. ```{list-table} @@ -347,7 +371,9 @@ It involves calculation, issuance, and recording of payments and receipts. ## Configuration management -**Configuration Management Process:** This {term}`business process ` involves the TRE operator identifying, maintaining, and verifying information on IT assets and configurations in the TRE organisation. +### Configuration Management Process + +This {term}`business process ` involves the TRE operator identifying, maintaining, and verifying information on IT assets and configurations in the TRE organisation. ```{list-table} :header-rows: 1 diff --git a/docs/source/pillars/data_management.md b/docs/source/pillars/data_management.md index e381a04b..60600677 100644 --- a/docs/source/pillars/data_management.md +++ b/docs/source/pillars/data_management.md @@ -15,7 +15,7 @@ SATRE Pillars Capability Map ## Data lifecycle management -_The ability of the TRE operator to manage how and where data is stored, how it moves, changes and is removed._ +The ability of the TRE operator to manage how and where data is stored, how it moves, changes and is removed. ```{list-table} :header-rows: 1 @@ -83,7 +83,7 @@ _The ability of the TRE operator to manage how and where data is stored, how it ## Identity and access management -_The ability of the TRE operator to ensure the right people (identities) can only access the tools and data they need._ +The ability of the TRE operator to ensure the right people (identities) can only access the tools and data they need. ```{list-table} :header-rows: 1 @@ -127,7 +127,7 @@ _The ability of the TRE operator to ensure the right people (identities) can onl ## Output management -_The ability of the TRE operator to ensure outputs are safely published and shared._ +The ability of the TRE operator to ensure outputs are safely published and shared. ```{list-table} :header-rows: 1 @@ -155,7 +155,7 @@ _The ability of the TRE operator to ensure outputs are safely published and shar ## Information search and discovery -_The ability to query and browse the data within an environment at various levels of abstraction._ +The ability to query and browse the data within an environment at various levels of abstraction. ```{list-table} :header-rows: 1 @@ -176,7 +176,7 @@ _The ability to query and browse the data within an environment at various level ## Information security -_This capability relates to the ability of the TRE operator to protect against the unauthorised use of information, especially electronic data._ +The ability of the TRE operator to protect against the unauthorised use of information, especially electronic data. Measures taken to ensure information security can be further categorised into: @@ -190,7 +190,9 @@ These measures include vulnerability management of TRE infrastructure (whether p (vulnerability-management)= -**Vulnerability Management:** The ability of the TRE operator to identify, assess, report on, manage and remediate technical vulnerabilities across endpoints, workloads, and systems. +### Vulnerability Management + +The ability of the TRE operator to identify, assess, report on, manage and remediate technical vulnerabilities across endpoints, workloads, and systems. ```{list-table} :header-rows: 1 @@ -223,7 +225,9 @@ These measures include vulnerability management of TRE infrastructure (whether p (security-testing)= -**Security testing:** Security testing enables the TRE operator to gain assurance in the security of a TRE by testing or attempting to breach some or all of that system's security. +### Security testing + +Security testing enables the TRE operator to gain assurance in the security of a TRE by testing or attempting to breach some or all of that system's security. ```{list-table} :header-rows: 1 @@ -257,7 +261,9 @@ These measures include vulnerability management of TRE infrastructure (whether p (encryption)= -**Encryption:** The ability of the TRE operator to deploy and manage encryption to protect information assets, including data for TRE research projects. +### Encryption + +The ability of the TRE operator to deploy and manage encryption to protect information assets, including data for TRE research projects. Here we define 'project' data as the data brought in for work which is very likely to be sensitive and 'user' data, as the working files of a project which might hold copies of all or part of the project data or otherwise reveal sensitive data (_e.g._ through hard coded row/column names). @@ -297,7 +303,9 @@ Here we define 'project' data as the data brought in for work which is very like (physical-security)= -**Physical security:** The ability of the TRE operator to manage and protect physical assets from unauthorised access, damage or destruction. +### Physical security + +The ability of the TRE operator to manage and protect physical assets from unauthorised access, damage or destruction. Physical security controls can provide TREs using highly sensitive data an extra layer of security, even if technical controls are already in place for less sensitive data: diff --git a/docs/source/pillars/information_governance.md b/docs/source/pillars/information_governance.md index 655290dd..a28cb283 100644 --- a/docs/source/pillars/information_governance.md +++ b/docs/source/pillars/information_governance.md @@ -17,7 +17,9 @@ For example, some requirements will arise from national legislation such as GDPR ## Governance Requirements -**Requirements Gathering and Monitoring:** This {term}`business process ` involves collecting, documenting, and managing the functional and non-functional requirements for the TRE based on the TRE organisation's goals and data assets. +### Requirements Gathering and Monitoring + +This {term}`business process ` involves collecting, documenting, and managing the functional and non-functional requirements for the TRE based on the TRE organisation's goals and data assets. ```{list-table} :header-rows: 1 @@ -35,7 +37,9 @@ For example, some requirements will arise from national legislation such as GDPR - Mandatory ``` -**Controls:** This {term}`business process ` involves measures, safeguards, or mechanisms implemented to manage or mitigate risks and ensure the integrity, confidentiality, availability, and reliability of systems, processes, or data. +### Controls + +This {term}`business process ` involves measures, safeguards, or mechanisms implemented to manage or mitigate risks and ensure the integrity, confidentiality, availability, and reliability of systems, processes, or data. ```{list-table} :header-rows: 1 @@ -51,7 +55,9 @@ For example, some requirements will arise from national legislation such as GDPR - Mandatory ``` -**Resource Allocation Process:** This {term}`business process ` involves assigning, distributing, and managing resources (such as personnel, finances, equipment, or time) within the TRE organisation to meet objectives and priorities effectively. +### Resource Allocation Process + +This {term}`business process ` involves assigning, distributing, and managing resources (such as personnel, finances, equipment, or time) within the TRE organisation to meet objectives and priorities effectively. ```{list-table} :header-rows: 1 @@ -71,7 +77,9 @@ For example, some requirements will arise from national legislation such as GDPR What the organisation does to measure and control quality of processes, documentation and outputs. -**Document and SOP Management Process:** This {term}`business process ` involves creating, organising, updating, and controlling documents and Standard Operating Procedures (SOPs) within the TRE organisation. +### Document and SOP Management Process + +This {term}`business process ` involves creating, organising, updating, and controlling documents and Standard Operating Procedures (SOPs) within the TRE organisation. ```{list-table} :header-rows: 1 @@ -91,7 +99,9 @@ What the organisation does to measure and control quality of processes, document - Mandatory ``` -**Quality Management Process:** This {term}`business process ` involves the generation and dissemination of reports or dashboards that provide insights and metrics on the performance and effectiveness of quality management processes and activities. +### Quality Management Process + +This {term}`business process ` involves the generation and dissemination of reports or dashboards that provide insights and metrics on the performance and effectiveness of quality management processes and activities. ```{list-table} :header-rows: 1 @@ -107,7 +117,9 @@ What the organisation does to measure and control quality of processes, document - Mandatory ``` -**Internal Audit Process:** This {term}`business process ` involves an independent evaluation process within the TRE organisation that assesses and improves its internal controls, risk management, and governance. +### Internal Audit Process + +This {term}`business process ` involves an independent evaluation process within the TRE organisation that assesses and improves its internal controls, risk management, and governance. ```{list-table} :header-rows: 1 @@ -127,7 +139,9 @@ What the organisation does to measure and control quality of processes, document - Mandatory ``` -**Supplier Management and Monitoring Process:** This {term}`business process ` involves a structured approach to managing and monitoring relationships with external suppliers, vendors and contractors, including selection, contract management and compliance oversight. +### Supplier Management and Monitoring Process + +This {term}`business process ` involves a structured approach to managing and monitoring relationships with external suppliers, vendors and contractors, including selection, contract management and compliance oversight. ```{list-table} :header-rows: 1 @@ -149,7 +163,9 @@ What the organisation does to measure and control quality of processes, document - Mandatory ``` -**Asset Management Process:** This {term}`business process ` involves a systematic approach to acquiring, operating, maintaining, and disposing of assets within an organization, aimed at maximizing their value and minimizing risks. +### Asset Management Process + +This {term}`business process ` involves a systematic approach to acquiring, operating, maintaining, and disposing of assets within an organization, aimed at maximizing their value and minimizing risks. ```{list-table} :header-rows: 1 @@ -166,7 +182,9 @@ What the organisation does to measure and control quality of processes, document - Mandatory (where physical assets are in scope) ``` -**Issue Management Process:** This {term}`business process ` involves a systematic approach to identifying, tracking, resolving, and managing issues or problems that arise within a TRE organisation, aiming to minimize their impact and ensure timely resolution. +### Issue Management Process + +This {term}`business process ` involves a systematic approach to identifying, tracking, resolving, and managing issues or problems that arise within a TRE organisation, aiming to minimize their impact and ensure timely resolution. ```{list-table} :header-rows: 1 @@ -186,7 +204,9 @@ What the organisation does to measure and control quality of processes, document - Mandatory ``` -**Quality Management Data:** This {term}`data object ` consists of data, including training records and configuration data, collected and used to monitor, evaluate, and improve the quality of processes, or services within the TRE organisation. +### Quality Management Data + +This {term}`data object ` consists of data, including training records and configuration data, collected and used to monitor, evaluate, and improve the quality of processes, or services within the TRE organisation. ```{list-table} :header-rows: 1 @@ -203,7 +223,9 @@ What the organisation does to measure and control quality of processes, document - Recommended ``` -**Quality Management System Application:** This {term}`application component ` is a software application or platform used to manage and automate quality management processes, including document control, corrective actions, audits, and performance tracking. +### Quality Management System Application + +This {term}`application component ` is a software application or platform used to manage and automate quality management processes, including document control, corrective actions, audits, and performance tracking. ```{list-table} :header-rows: 1 @@ -224,7 +246,9 @@ What the organisation does to measure and control quality of processes, document What the organisation does to ensure information risk is measured and managed to an acceptable level. -**Risk Assessment Process:** This {term}`business process ` involves the systematic evaluation and analysis of potential risks, threats, or vulnerabilities, including their likelihood, potential impact, and the effectiveness of existing controls or mitigation measures. +### Risk Assessment Process + +This {term}`business process ` involves the systematic evaluation and analysis of potential risks, threats, or vulnerabilities, including their likelihood, potential impact, and the effectiveness of existing controls or mitigation measures. ```{list-table} :header-rows: 1 @@ -244,7 +268,9 @@ What the organisation does to ensure information risk is measured and managed to - Mandatory ``` -**Risk Treatment Process:** This {term}`business process ` involves the selection and implementation of strategies, controls, or measures to manage or mitigate identified risks, such as risk avoidance, risk transfer, risk reduction, or risk acceptance. +### Risk Treatment Process + +This {term}`business process ` involves the selection and implementation of strategies, controls, or measures to manage or mitigate identified risks, such as risk avoidance, risk transfer, risk reduction, or risk acceptance. ```{list-table} :header-rows: 1 @@ -260,7 +286,9 @@ What the organisation does to ensure information risk is measured and managed to - Mandatory ``` -**Risk Ownership Process:** This {term}`business process ` involves the assignment of responsibility and accountability to individuals or entities for managing and mitigating specific risks within the TRE organisation. +### Risk Ownership Process + +This {term}`business process ` involves the assignment of responsibility and accountability to individuals or entities for managing and mitigating specific risks within the TRE organisation. ```{list-table} :header-rows: 1 @@ -285,7 +313,9 @@ What the organisation does to ensure information risk is measured and managed to What the organisation does to create and maintain research projects and work packages within the TRE. -**Study Onboarding Process:** This {term}`business process ` involves onboarding or initiating a research study, including setting up necessary infrastructure, obtaining approvals, and defining protocols or methodologies. +### Study Onboarding Process + +This {term}`business process ` involves onboarding or initiating a research study, including setting up necessary infrastructure, obtaining approvals, and defining protocols or methodologies. ```{list-table} :header-rows: 1 @@ -301,7 +331,9 @@ What the organisation does to create and maintain research projects and work pac - Mandatory ``` -**Compliance Checking Process:** This {term}`business process ` involves verifying and ensuring adherence to applicable laws, regulations, standards, or internal policies within the TRE organisation. +### Compliance Checking Process + +This {term}`business process ` involves verifying and ensuring adherence to applicable laws, regulations, standards, or internal policies within the TRE organisation. ```{list-table} :header-rows: 1 @@ -322,7 +354,9 @@ What the organisation does to create and maintain research projects and work pac - Mandatory ``` -**Study Closure Process:** This {term}`business process ` involves the formal conclusion of a research study or project, including final data analysis, reporting, documentation, and archiving. +### Study Closure Process + +This {term}`business process ` involves the formal conclusion of a research study or project, including final data analysis, reporting, documentation, and archiving. ```{list-table} :header-rows: 1 @@ -338,7 +372,9 @@ What the organisation does to create and maintain research projects and work pac - Mandatory ``` -**Study Management Portal:** This {term}`application component ` is an online platform that provides centralised access to manage research studies including onboarding studies, control of access and administration of compliance tasks. +### Study Management Portal + +This {term}`application component ` is an online platform that provides centralised access to manage research studies including onboarding studies, control of access and administration of compliance tasks. ```{list-table} :header-rows: 1 @@ -355,7 +391,9 @@ What the organisation does to create and maintain research projects and work pac - Optional ``` -**Data Asset Register:** This {term}`data object ` is a database or other electronic record that documents and manages information about the TRE organisation's data assets, including their characteristics, ownership, usage, and other relevant details. +### Data Asset Register + +This {term}`data object ` is a database or other electronic record that documents and manages information about the TRE organisation's data assets, including their characteristics, ownership, usage, and other relevant details. ```{list-table} :header-rows: 1 @@ -373,7 +411,9 @@ What the organisation does to create and maintain research projects and work pac - Mandatory ``` -**Study Register:** This {term}`data object ` is a centralised record or database that tracks and manages information about research studies and projects. +### Study Register + +This {term}`data object ` is a centralised record or database that tracks and manages information about research studies and projects. ```{list-table} :header-rows: 1 @@ -393,7 +433,9 @@ What the organisation does to create and maintain research projects and work pac Ability to ensure that people with access to data are correctly identified and they are suitably qualified. -**Identity Verification Process:** This {term}`business process ` involves confirming or authenticating the identity of individuals or entities, often through the verification of personal information, credentials, or biometric data. +### Identity Verification Process + +This {term}`business process ` involves confirming or authenticating the identity of individuals or entities, often through the verification of personal information, credentials, or biometric data. ```{list-table} :header-rows: 1 @@ -409,7 +451,9 @@ Ability to ensure that people with access to data are correctly identified and t - Mandatory ``` -**User Onboarding Process:** This {term}`business process ` involves introducing and integrating researchers and data consumers onto a TRE's systems, processes, including training, access provisioning, and orientation. +### User Onboarding Process + +This {term}`business process ` involves introducing and integrating researchers and data consumers onto a TRE's systems, processes, including training, access provisioning, and orientation. ```{list-table} :header-rows: 1 @@ -425,7 +469,9 @@ Ability to ensure that people with access to data are correctly identified and t - Mandatory ``` -**Identity and Access Management Services:** This {term}`application component ` is a system to govern and control user identities, access privileges, authentication, and authorization within an organisation. +### Identity and Access Management Services + +This {term}`application component ` is a system to govern and control user identities, access privileges, authentication, and authorization within an organisation. ```{list-table} :header-rows: 1 @@ -445,7 +491,9 @@ Ability to ensure that people with access to data are correctly identified and t - Mandatory ``` -**Authentication Application:** This {term}`application component ` is a software system that verifies and validates the identities of users or entities accessing a system through multifactor authentication. +### Authentication Application + +This {term}`application component ` is a software system that verifies and validates the identities of users or entities accessing a system through multifactor authentication. ```{list-table} :header-rows: 1 @@ -461,7 +509,9 @@ Ability to ensure that people with access to data are correctly identified and t - Mandatory ``` -**User Identity Attributes:** This {term}`data object ` consists of characteristics or attributes associated with a user's identity, such as username, email address, role, permissions, or affiliations. +### User Identity Attributes + +This {term}`data object ` consists of characteristics or attributes associated with a user's identity, such as username, email address, role, permissions, or affiliations. ```{list-table} :header-rows: 1 @@ -482,7 +532,9 @@ Ability to ensure that people with access to data are correctly identified and t Ability to deliver, track and maintain adequate training levels to ensure competence of all people within the TRE organisation. -**Curriculum Creation and Management Process:** This {term}`business process ` involves designing, developing, and managing educational curricula, courses through training needs analysis for required competency. +### Curriculum Creation and Management Process + +This {term}`business process ` involves designing, developing, and managing educational curricula, courses through training needs analysis for required competency. ```{list-table} :header-rows: 1 @@ -511,7 +563,9 @@ Ability to deliver, track and maintain adequate training levels to ensure compet - Mandatory ``` -**Certification Management Process:** This {term}`business process ` involves managing and overseeing certifications or qualifications held by individuals or entities, including tracking expiry dates, renewals, and compliance requirements. +### Certification Management Process + +This {term}`business process ` involves managing and overseeing certifications or qualifications held by individuals or entities, including tracking expiry dates, renewals, and compliance requirements. ```{list-table} :header-rows: 1 @@ -531,7 +585,9 @@ Ability to deliver, track and maintain adequate training levels to ensure compet - Recommended ``` -**Learning Management System:** This {term}`application component ` is a software platform or application that facilitates the administration, delivery, and tracking of educational or training programs, often including course materials, assessments, and learner progress tracking. +### Learning Management System + +This {term}`application component ` is a software platform or application that facilitates the administration, delivery, and tracking of educational or training programs, often including course materials, assessments, and learner progress tracking. ```{list-table} :header-rows: 1 @@ -547,7 +603,9 @@ Ability to deliver, track and maintain adequate training levels to ensure compet - Optional ``` -**Courses Data:** This {term}`data object ` consists of information or data associated with educational courses, including course materials and syllabi, assessments. +### Courses Data + +This {term}`data object ` consists of information or data associated with educational courses, including course materials and syllabi, assessments. ```{list-table} :header-rows: 1 diff --git a/docs/source/pillars/supporting.md b/docs/source/pillars/supporting.md index 78c0c497..95342ffa 100644 --- a/docs/source/pillars/supporting.md +++ b/docs/source/pillars/supporting.md @@ -154,7 +154,9 @@ The implementation and management of quality IT services that meet the needs of All activities aimed at ensuring a continuous level of engagement is maintained between the TRE operator and its customers, stakeholders and other interested parties. -**Stakeholder relationships:** Activities aimed at engaging with TRE stakeholders. +### Stakeholder relationships + +Activities aimed at engaging with TRE stakeholders. ```{list-table} :header-rows: 1 @@ -213,7 +215,9 @@ The ability of the TRE operator to access suitable and timely legal advice. -**Legal advisory:** The ability of the TRE operator to provide suitable and timely legal advice. +### Legal advisory + +The ability of the TRE operator to provide suitable and timely legal advice. ```{list-table} :header-rows: 1 @@ -230,7 +234,9 @@ The ability of the TRE operator to access suitable and timely legal advice. - Recommended ``` -**Data protection:** Ability to ensure data is used fairly, lawfully and transparently; for specified, explicit purposes; and in a way that is adequate, relevant and limited to only what is necessary. +### Data protection + +Ability to ensure data is used fairly, lawfully and transparently; for specified, explicit purposes; and in a way that is adequate, relevant and limited to only what is necessary. ```{list-table} :header-rows: 1 @@ -246,7 +252,9 @@ The ability of the TRE operator to access suitable and timely legal advice. - Recommended ``` -**Contract management:** What the organisation does to ensure that all contracts are effectively managed within required frameworks. +### Contract management + +What the organisation does to ensure that all contracts are effectively managed within required frameworks. ```{list-table} :header-rows: 1