UNCLASSIFIED. ISO27002 Organising Information Security. Restrictions? If Y please give the reason for the restriction below.

Transcription

1 Meeting Paper title Executive Team Date 18/06/12 ISO27002 Organising Information Security Agenda item 3 Discussion time Purpose of paper Decision 15 mins Restrictions on public access including staff Restrictions? N If Y please give the reason for the restriction below. Presenter ET sponsor Lesley Bett, Charlotte Powell, Simon Ebbitt Daniel Benjamin Corporate Plan aim 7.9 Continuing to review and improve the ICO s Corporate Governance and its own compliance with information rights legislation. Summary Who has been consulted? SIRO, Information Security Manager UNCLASSIFIED 1

2 ISO27002 Organising Information Security Introduction / Aim of the paper The ICO has committed to compliance with the information security code of practice ISO The Information Governance Department has been assessing compliance against the code of practice s eleven modules and their individual security controls. The aim of this paper is to provide information concerning ICO s organisation of information security and for agreement on 3 recommendations. Decisions needed and recommendations made 1. A review of the ICO s security policy should be undertaken to ensure that it clearly communicates the Executive Team s and Management Board s commitment to information security. It is recommended that this identifies the Accounting Officer (CG) and the ICO s Senior Information Risk Owner SIRO (DB). 2. That ET commits to the role, the training and development of the ICO s Information Asset Owners (IAO s). 3. That ET agrees to, and supports the pilot of an IAO assurance reporting process within Corporate Services. Background An assessment has been undertaken against the ten controls within the Organisation of Information Security IS module. This paper will only consider ICO s compliance with the following three controls. Management should actively support security within the organisation through clear direction, demonstrated commitment, and acknowledgement of information security responsibilities. All information security responsibilities should be clearly defined. Information security should be co-ordinated by representatives from different parts of the organisation with relevant roles and job functions providing an annual written assurance to the SIRO. UNCLASSIFIED 2

3 1. Management Commitment. Whilst it is clear that there is management commitment to information security, compliance with the code of practice requires evidence of compliance and commitment. The ICO has in place a security policy which is published on the website. The published policy is signed by the Commissioner, albeit in It is recommended that this is reviewed, updated and signed off by the Executive Team. The current policy is a single side of A4 and is a high level statement of our commitment to information security. The review will take account of changes in the threat environment since it was last reviewed. It is envisaged that this review will not be time consuming and result in a new draft for comments and sign off. The review will be undertaken by a member of the Information Governance Department and comments provided by the Executive Team. 2. Information Security Roles and Responsibilities As a result of the Data Handling Review (full report published in 2008) the role of Senior Information Risk Owner (SIRO) and Information Asset Owners (IAO s) were established as the structure for managing information risk throughout government. In short, the SIRO responsibilities are to lead a culture of good information management, own the overall information risk policy and procedures and advise the Accounting Officer on information risk. This role is currently filled by the Director of Corporate Services but does not form part of the job description. An IAO s role is to understand what information is held within their area of responsibility, what is created or added, how information is moved, who has access to it and why. As a result they should be able to understand and address risks to the information and also ensure that the information available is fully utilised. There is currently a page within the security manual, headed management responsibilities, which briefly sets out the role of the SIRO and the IAO s. It also lists the responsibilities of an IAO but records them as business delivery group members (now obsolete). It provides no further details about how these responsibilities should be fulfilled. UNCLASSIFIED 3

4 It is recommended that the list of IAO s should be reviewed to reflect current responsibilities within ICO, that the role and responsibilities of the IAO are clearly defined and that the IAO responsibilities are added to job descriptions. This work will be led by a member of the Information Governance Department however time will be required from the IAO s and SIRO to gain a full understanding of the requirements of the role. IAO and SIRO time will also be required for any necessary training. 3. Reporting and Assurance. A fundamental part of the IAO s role is to provide formal assurance concerning their information assets to the SIRO. This should provide the SIRO with a clear understanding of any information risks so that ET can be fully updated and seek resolution where necessary. This form of reporting does not currently take place and therefore information security risks may not always be visible and the appropriate risk treatment may not be implemented. A reporting system or process should be developed to ensure that IAO s regularly report to the SIRO to enable him to provide assurance to ET that information risk is being properly managed. It is recommended that an information risk register forms part of the regularly reporting and this can be used to report to ET and MB. After consultation with the SIRO it is recommended that a reporting process is developed in Human Resources as the holder of a number of sensitive records and then run as a pilot more widely in the Corporate Services Directorate before rolling it out to the rest of the office. This will involve the development of the information risk register and a template for the mandatory reporting to the SIRO. This work will be led by a member of the Information Governance Department. Time will be required by the Head of Organisational Development for the development of the reporting process. Subsequently time will be required from all IAO s on an ongoing basis when the reporting process is fully rolled out. Options considered Other options have not been considered as the ISO controls are clear and ICO has committed to ISO27002 Information Security Code of Practice. UNCLASSIFIED 4

5 Risks and opportunities This is an opportunity for ICO to lead in this area and demonstrate best practice in terms of its information security management and compliance with ISO It is also an opportunity to provide regular assurance and visibility to ET about current information risks and appropriate risk treatment. Financial issues IAO training options will be considered as part of this work. Some options may incur a cost. This requirement will be flagged to Learning and Development so that some budget provision can be made. Currently the Information Governance Department are reviewing a free on line training solution which could be used as training for the SIRO and IAO s. If this is not suitable an estimated cost of 5000 should be considered. Staffing issues New IAOS will be identified during this process. Amendments to job descriptions new or existing should only be considered after consultation with the Head of HR. Devolved office issues Information security risks will differ between locations and any processes put into place will need to reflect this. Accommodation issues Environmental issues Privacy issues Equality and diversity issues UNCLASSIFIED 5

6 Conclusion ET are asked to consider each of the recommendations and commit to their implementation. Annexes Author Charlotte Powell Filepath Status and version v0.1 Date last updated and reason Distribution UNCLASSIFIED 6

7 Appendix A ISO27002 ISO27002 is code of practice for information security. It outlines a number of potential controls and control mechanisms to address information security risks. ET have already agreed and committed to ensuring compliance with this code of practice. The code is broken down into 11 modules which are: Security Policy Organisation of Information Security Asset Management Human Resources Security Physical Security Communications and Ops Management Access Control Information Systems Acquisition, Development, Maintenance Information Security Incident Management Business Continuity Compliance The Information Governance Department are currently assessing the ICO compliance on all eleven modules. An update on progress with this project will provided with the next Information Governance Quarterly Report. This paper is concerned with the work related to the Organisation of Information Security module. UNCLASSIFIED 7