The Human Services Professionals

Online rostering

What is online rostering?
Visit live site now
Visit demo site now
Download quotation now

Roster review

Excel-based RosterCoster

Your greenfield rosters

Your core rosters

Download quotation now

Apps & projects

What is EMSOnline?
Features and benefits
Download demos apps now
Download quotation now

EMSOnline: data protection update

Preamble

The following data protection applies if data is to be stored, at you request, in Microsoft Access (our second preference) rather than SQL Server (our first preference). Having said that, very good security can be achieved using the former via your existing folder setup. The following can be adapted to your lcoal requirements at your request, and should be viewed as a template arising from a large organisation for which the template was created.


Updated: 6 December 2010
Application / Information repository name: INSERT NAME OF APP


Business Reason for handling sensitive data	Control Question Response	Control Status	Comments
Access Controls
Are there formal access controls in place?	YES	Documented in a Policy, Standard and in Procedures, Processes	The Data Control Centre administrator controls top level permissions, and people with lower level permissions control permissions to other users on a need to access / need to know basis.
Do they articulate who has access to what and why?	YES	Documented in a Policy, Standard and in Procedures, Processes	The Data Control Centre administrator controls permissions to limited parts of the EMSOnline Data Control Centre. People given this permission are approved by the Management Teams relevant to the apps hosted and / or the project managers for apps hosted, and have limited access and / or control over data and permissions. These people grant access and / or control further down the hierarchy.
Is the access allocated to a particular role or an individual?	YES	Documented in a Policy, Standard and in Procedures, Processes	Access is controlled by the Data Control Centre administrator, who delegates control further down the hierarchy as approved by the Management Teams relevant to the apps hosted and / or the project managers for apps hosted.
Are third parties permitted access to the application?	NO	Documented in a Policy, Standard and in Procedures, Processes	All access is via the EMSOnline home page, with permissions controlled out of the Data Control Centre, see above.
Are users required to undergo security checks / vetting before being granted access to the application?	YES	Documented in a Policy, Standard and in Procedures, Processes	People given this permission are approved by the Management Teams relevant to the apps hosted and / or the project managers for apps hosted, and have limited access and / or control over data and permissions. These people grant access and / or control further down the hierarchy.
Is a password required to access the application?	YES	Documented in a Policy, Standard and in Procedures, Processes	EMSOnline permissions read the user's login name, which has a password maintained by the organisation.
Is access revoked when no longer needed? E.g. upon Termination?	YES	Documented in a Policy, Standard and in Procedures, Processes	Management Teams relevant to the apps hosted and / or the project managers for apps hosted revoke access via a link on the EMSOnline home page.

Anti-virus Software
Is there anti-virus software installed on the device hosting the application ?	YES	Documented in a Policy, Standard and in Procedures, Processes	EMSOnline is wholly developed within Microsoft Office on the your network, and is a recipient of all your organisation's anti-virus software that is provided to Microsoft Office within your organisation.
Are files virus scanned before being opened?	YES	Documented in a Policy, Standard and in Procedures, Processes	EMSOnline is wholly developed within Microsoft Office on the your organisation's network, and is a recipient of all your organisation's virus scanning of Microsoft Office files opened within your organisation.

Auditing, Monitoring and Reviewing
Are file and user activity monitored for inappropriate and illegal activity?	NO	Documented in a Policy, Standard and in Procedures, Processes	EMSOnline is wholly developed within Microsoft Office on the your organisation's network, and the rules that apply to data entry in Microsoft Office files in general within your organisation apply to data entered via EMSOnline.
Are there regular processes in place to audit user activity and information processes?	YES	Documented in a Policy, Standard and in Procedures, Processes	Management Teams relevant to the apps hosted and / or the project managers for apps hosted commission all the auditing that is required for data entered into a given app.
When was the application last audited?	N/A	Documented in a Policy, Standard and in Procedures, Processes	Audit reports are created daily / continuously, for the review of your organisation's Management Teams relevant to the apps hosted and / or the project managers for apps hosted.

Incident Response
Is there a documented process to deal with security incidents?	YES	Documented in a Policy, Standard and in Procedures, Processes	Updates of the EMSOnline Continuous Improvement Program is circulated regularly to the project managers for apps hosted, and the latest project plan for each app is made available to the project managers for apps hosted. This document contains a standard list of risk management headings, and the response.
Has the application's security been breached and information inappropriately accessed or disclosed in the last 12 months?	NO	Documented in a Policy, Standard and in Procedures, Processes	No security breaches have been reported in the history of apps hosted at EMSOnline (since its launch in 2001/02)

Awareness
Are users provided with an appropriate "user manual" and necessary security information?	YES	Documented in a Policy, Standard and in Procedures, Processes	The home page of EMSOnline contains a clear statement regarding the fact that all data hosted at EMSOnline is subject to security permissions. Users with access to the Data Control Centre agree to read the standard data security guidelines on an intro screen every time they enter the Data Control Centre, and agree to receive orientation from Christine Tiernan, Manager User Support Systems EMSOnline, prior to using the Data Control Centre for the first time.
Do users know who to contact for security concerns?	YES	Documented in a Policy, Standard and in Procedures, Processes	The home page of EMSOnline contains a user support system via which users are able to log a request regarding security or any other matter.
Is there a clearly defined owner (and delegate) for the application?	YES	Documented in a Policy, Standard and in Procedures, Processes	The home page of EMSOnline lists all hosted apps, and the project manager currently responsible for each.

Backups, Business Continuity & Disaster Recovery

Is the application backed up at regular intervals?	YES	Documented in a Policy, Standard and in Procedures, Processes	Every night (recommended) on your organisation's backup tapes.
Is there an alternative that can be used if the application is unavailable ?	NO	Documented in a Policy, Standard and in Procedures, Processes	If the application is unavailable (for example due to scheduled maintenance by your IT people), users receive a prompt asking them to "try again later" or similar. tailored responses can be arranged by request.
Is there a formal Business Continuity Plan / Disaster Recovery plan in place and has it been tested within the last 12 months?	YES	Documented in a Policy, Standard and in Procedures, Processes	The EMSOnline Continuous Improvement Program and, if specific additional measures are required, the project plan for a given app, contains information regarding disaster recovery. We have only ever once needed a formal recovery, due to a large move from one building to another by a government department in the early 2000s, and we needed to be called in to recover rosters that had been uploaded in that window of time.

Change Management

Are formal change management processes used when making changes to the application?	YES	Documented in a Policy, Standard and in Procedures, Processes	The EMSOnline Continuous Improvement Program has as a condition for upgrade for apps that a change management plan must be in place.

Patching

Is the application up-to-date with known patches?	YES	Documented in a Policy, Standard and in Procedures, Processes	EMSOnline is wholly developed within Microsoft Office on the your organisation's network, and receives all patches approved by your organisation for Microsoft Office generally.
Is there a structured process in place to ensure that application vulnerabilities are patched in a timely manner?	YES	Documented in a Policy, Standard and in Procedures, Processes	EMSOnline is wholly developed within Microsoft Office on the your organisation's network, and receives all patches approved by your organisation for Microsoft Office generally.

Information Classification & Handling

Is information being handled by the application assessed for integrity as well as confidentiality and availability requirements?	YES	Documented in a Policy, Standard and in Procedures, Processes	All data entered into apps hosted at EMSOnline is data validated and screened to the level required by the project manager for the app.
Is Information handled by the application appropriately classified and labelled according to organisational requirements?	YES	Documented in a Policy, Standard and in Procedures, Processes	The classification and labelling of data entered into apps hosted at EMSOnline is in line with data entry into any Microsoft Office file, with additional labels such as the login name of the user, and the user's permission level and position, and other details of the user, as the relevant manager may require.
Is Information handled by the application appropriately disposed of according to organisational requirements when no longer required?	YES	Documented in a Policy, Standard and in Procedures, Processes	Please note that as far as we are aware, no data entered into EMSOnline should be disposed of.
Is the application information encrypted / protected in accordance with organisational requirements?	YES	Documented in a Policy, Standard and in Procedures, Processes	Information is protected to the maximum level allowed to us by your IT people via the your organisation's permissions structure and, where relevant, by the project managers for apps hosted. As part of our continuous improvement plan, we also continuously seek access to additional protection via SQL Server, rather than by ourselves.
Can application information be downloaded to removable media such as USB drives?	YES	Documented in a Policy, Standard and in Procedures, Processes	Certain apps and many reports allow for information to be detached in standalone Microsoft Office and other files for the purpose of, for example, sending rosters to house staff, or roster stats to managers.
Can information be uploaded to the application from removable media such as USB drives?	YES	Documented in a Policy, Standard and in Procedures, Processes	Certain apps allow for information to be submitted from standalone Microsoft Office files for the purpose of, for example, submitting roster information into EMSOnline databases.

Physical Security

Where is the application hosted? - general organisational network? Dedicated network? Standalone device?	YES	Documented in a Policy, Standard and in Procedures, Processes	The application is hosted entirely on the your organisation's Network.
Is the device hosting the application in a secure environment? E.g. a data centre? Computer room?	YES	Documented in a Policy, Standard and in Procedures, Processes	The application is hosted in permissions controlled folders on the your organisation's Network.

Information Flows

Are the information flows to and from the application documented?	YES	Documented in a Policy, Standard and in Procedures, Processes	The EMSOnline Continuous Improvement Program contains a standard that the 'App Design' for an app is to contain all the screens in the app, and all data flows.
Does the documentation include details of information: creation, maintenance, storage, exchange and sharing, input ,output and processing validation?	YES	Documented in a Policy, Standard and in Procedures, Processes	The business rules for creating an 'App Design' are specific in relation to all these types of information.

Remote and Wireless Access

Are there controls governing the physical location from where the application can be accessed?	YES	Documented in a Policy, Standard and in Procedures, Processes	The application can only be accessed when the user is logged in, and also has been granted the relevant permissions.
Is remote access to the application permitted?	YES	Documented in a Policy, Standard and in Procedures, Processes	The application can only be accessed when the user is logged in, which for some managers can occur remotely. N.b. not all links work when logged in remotely, as the current scope of the application is that it should provide full access to users logged in locally (physically inside your organisation).
Is wireless access to the application permitted?	NO	Documented in a Policy, Standard and in Procedures, Processes	Application by wireless is not permitted except where your organisation may allow a user to login using wireless.

Compliance

Has the application been assessed for compliance with organisational policies and standards within the last 12 months? And what were the outcomes?	NO	Documented in a Policy, Standard and in Procedures, Processes	EMSOnline has been audited twice in 2010, once by a large organisation where it is installed, and once (that audit is in progress) by an external auditor (Deloitte). To date, no issues raised, but we will in good time get a report arising from the latter.
Are the Application owner and users conversant with the relevant legislative and regulatory requirements pertaining to the information being handled by the application?	YES	Documented in a Policy, Standard and in Procedures, Processes	The application ownerhas been working on this application and in particular the RosterCoster app since 1993, and is conversant to the extent that he has frequently been involved over the years in most issues relating to app development and maintenance. The EMSOnline Continuous Improvement Program contains a permanent application for the maximum level of compliance within the context of limited project budgets.
Is the application subject to legislative and /or regulatory compliance? If so please indicate in appropriate column..	YES	Documented in a Policy, Standard and in Procedures, Processes	See above.
Has the application's compliance with the relevant legislative and regulatory requirements been validated within the last 12 months?	NO	Documented in a Policy, Standard and in Procedures, Processes	See above.
Have there been any compliance breaches noted with the last 12 months, e.g. arising from a formal audit such as one conducted by VAGO or through other means and what were the outcomes if any?	NO	Documented in a Policy, Standard and in Procedures, Processes	EMSOnline has never had a compliance breach since its introduction in 2001/02.

EMSOnline data protection update

Quick Launch