Information Risk Management Policy This instruction applies to :- Reference

waxspadeΔιαχείριση

18 Νοε 2013 (πριν από 3 χρόνια και 8 μήνες)

59 εμφανίσεις

UNCLASSIFIED


UNCLASSIFIED



Information Risk Management Policy


This instruction applies to :
-



Reference

NOMS Agency staff (Headquarters)

Prisons


AI

04
/2012


PSI
16
/2012


Issue Date

Effective Date

Implementation Da
te

Expiry Date

03 May

2012

15

May

2012

0
2
May

2016

Iss
ued on the authority of

NOMS Agency Board

For action by

All
Governors/Directors of Contracted prisons and
Heads of
Groups
. In this document Governor also applies to Directors
of Contracted Prisons

For information

All
information asset owners, informati
on asset custodians,
senior managers
, delivery partners and third party suppliers

Contact

Clare Lewis, Information, Assurance and Policy Team.

Clare.lewis@hmps.gsi.gov.uk

0300 047 6258


Associated docu
ments

PSO 9010


IT Security

PSO 9015


Information Assurance

PSO 9025
-

Archiving Retention and Disposal


Replaces the following documents which are hereby cancelled
-

None


Audit/monitoring :


Compliance with this instruction will be monitored by
Audit

and Corporate Assurance
.



Introduces amendments to the following documents
:



None








UNCLASSIFIED

PAGE
1


PSI 16/2012


AI 04/2012

UNCLASSIFIED

ISSUE DATE
03
/0
5
/2012

CONTENTS




Section

Subject

Applies to

1

Executive Summary

Governors, Head’s of Groups,
Information Asset Owners,
Information As
set Custodians

2

Information Risk M
anagement

Governors, Head’s of Groups,
Information Asset Owners
Information Asset Custodians

3

Compiling and Maintaining a
n Information

Risk Register

Governor
s, Head’s of Groups,
Information Asset Owners

4

Business Continuity Planning

Governors, Head’s of Groups,
Information Asset Owners

5

Physical and Personnel Security

Governors, Head’s of G
roups,
Information Asset Owners,
Information Asset Custodians

6

Deliver
y

Partners

and Third Party
Suppliers

Governors, Head’s of Groups,
Information Asset Owners,
Information Asset Custodians

Annex A

Roles and Responsibilities

Governors, Head’s of Groups,
Information Asset Owners,
Information Asset Custodians

Annex B

Information Assurance Risk Management
Process

Governors, Head’s of Groups,
Information Asset
Owners

Annex C

Reviewing the Information Risk Register

Governors, Head’s of Groups,
Information Asset Owners

Annex D

Information Risk Register
-

Example

Governors, Head’s of Groups,
Information Asset

Owners








UNCLASSIFIED

PAGE
2


PSI 16/2012


AI 04/2012

UNCLASSIFIED

ISSUE DATE
03
/0
5
/2012

1

Executive summary



Background



1.1

Reliable and accurate information management is critical to proper decision making ac
ross
the Ministry of Justice (Mo
J). Information can take many forms and may or may not have
protective markings


from
data sets containing personal information through to records of
sensitive meetings, policy recommendations,
prisoner

records, case files, correspondence
and historical records.




Information is the lifeblood of our organisation, it is a critical business
asset that
NOMS needs to protect and get the most value from to benefit the business




The
m
anagement of information risks should be incorporated into all day
-
to
-
day
operations. If effectively used it can be a tool for managing information proactively
rath
er than reactively. It will enable NOMS to get the right information to the right
people at the right time
, and help avoid incidents where data is lost or improperly
disclosed
.


Desired outcomes


1.2

This policy sets out NOMS commitment to the management
of information risk. It also
sets
out
what prison establishments
, headquarters groups
, their ‘delivery partners’ and third
party suppliers should do to manage information risk. In doing so, this policy supports the
NOMS strategic aims and objectives and s
hould enable employees throughout the
organisation

to identify an acceptable level of risk and, when required, use the correct risk
escalation process.


Application


1.3

Governors,
Director
s of Contracted P
risons,
Head’s of Groups
,
Information Asset Owners

and Information Asset Custodians

must be

familiar with
the policy
.



Mandatory actions


1.4


Governors
, Directors of Contracted
P
risons
,
Heads of Groups

and Information Asset
Owners

must ensure that
S
enior
M
anagement
T
eams and
I
nformation
A
sset
C
ustodians

review

and are aware of this policy, a local In
formation ri
sk
p
olicy must be produced and be
available to all staff.


All establishments and headquarters groups must have an Information Risk Register in
place
.


The Information Asset Owner must carry o
ut a quarterly review of the information risks



Resource Impact

1.5

Initial completion of the
r
isk
r
egister should take a group of senior managers between 4
-

6
hours, depending on the complexity of the prison.


Quarterly reviews should take no longer tha
t 1
-
2 hours, depending on the number of
actions identified.









UNCLASSIFIED

PAGE
3


PSI 16/2012


AI 04/2012

UNCLASSIFIED

ISSUE DATE
03
/0
5
/2012

2.

Information Risk Management


2.1

Reliable and accurate information is critical to proper decision making in NOMS. This
makes information a vital business asset that we need to protect. In
formation risk
management provides this protection by managing risks to the
confidentiality, integrity

and
availability (CIA
)

of information
to
assist

our business
to
function effectively.

2.1

Confidentiality means ensuring that only authorised people can
get to our information

2.3

Integrity means ensuring that it is authentic, accurate and complete

2.4

Availability means that authorised people can access it when they need to, at the right
times in the right ways

2.4

K
eeping the
right

information for the

right period of time

is also very important and
can
help ensure we comply with a range of statutory responsibilities (e.g. Freedom of
Information

2000
,
Public Records Act

1958 & 1967
, Data Protection Act

1998
)
,
supply
information when it's requested
by
, f
or example, high
-
profile public
e
nquiries
,

and
provide

supporting evidence in the event of litigation against NOMS
. For guidance refer to PSO
9025


Archiving
,

Retention and Disposal

2.5

Information Asset Owner (IAO
)



IAOs
are

re
sponsible for the day to

day use

of information
, which includes who has access
to the information
and risk management of their information.

They
are usually

governing
governors or heads of group but may be other senior
managers

such as IT system owners
involved in running the re
l
evant business area.


2.6

IAOs are responsible for making sure their business areas, delivery partners and third party
suppliers with whom they work, have in place the arrangements needed to implement and
maintain an effective information risk management

policy.

The IAO

may

wish to

appoint
Information Asset
Custodians to work on the
ir

behalf, taking day to day oversight of assets
and reporting back to the IAO on the changes to
r
isks.




Further information about the role of the IAO can be found in
Annex
A

of this document
and
Appendix 1 of PSO 9015
-

Information Assurance
.


2.7

Information Risk Register


IAOs
must

review information

risks on a quarterly basis
as part of the review of the
establishment
/business group
Information Asset Register
and
, where appro
priate,

escalate

any

risks
to the Information Policy and Assurance
(IPA)
Team

at
informationassurance@noms.gsi.gov.uk

or by telephone on
0300 047 659
0
.


As well as
existing risks that have alread
y been identified, the review
must

also consider forthcoming
potential changes in services, technology and threats.



Guidance on reviewing the Risk Register can be found in
Annex
C


2.8

The IPA team

will decide whether it is app
ropriate to escalate

any risks

to the NOMS
Senior
Information Risk Owner (
SIRO
)

(
Annex A
)
.
NOMS
is required to
provide
a
report on
information risk annually as part of a MoJ annual assessment of information risk

and the
information received from the IAOs
forms part of this report.

Additionally NOMS
is

required
to provide quarterly risk updates to the MoJ SIRO Board
.



2.9

The IAO

must

ensure that any I
nformation and Communications Technology (ICT) systems
that hold protectively marked information are acc
redited according to government




UNCLASSIFIED

PAGE
4


PSI 16/2012


AI 04/2012

UNCLASSIFIED

ISSUE DATE
03
/0
5
/2012

standards by a
MoJ

Accreditor. For further information on the accreditation process or to
determine whether the ICT system is an accredited system please contact a member of the
MoJ

ICT

team
.


2.10

Disciplinary action will
be considered for any

member of
staff (including contractors,
consultants, and suppliers so far as is feasible)
who do not follow the mandatory actions set
out in this policy
, unless prior agreement to do so has been secured from the NOMS SIRO.


3
.

Compi
ling and
Maintaining a
n Information
R
isk
R
egister



3.1

To provide evidence that the risks in their business area have been identified and that there
are plans in place for managing them the IAO must compile and maintain an Information
Risk Register.

A w
ell
-
organised and
eas
y
to understand

R
isk
R
egister is fundamentally
important
. The register needs to
provide enough information
to the IAO to enable them to
be
able to identify and explain the risk management decisions within each business group

3.2

Each
prison establishment
and headquarters group
will
already
have an Information Asset
Register in place, this
can

be used to

help to

identify the different types of information
assets held and provide
direction

on the risk to the organisation that a loss / co
mpromise
or
lack of availability
of that asset would have.

3.3

The Information Risk Register


A
partially
completed risk register template that you can amend to fit your own
establishment

/

business area

can be found in
Annex D
.

The draft has been
provided

to
assist you but you will need to look at the information in each of the columns and consider
the ex
tent to which it is valid

in your location.

3.4

You
must

include any additional
risk descriptions and possible causes with
establishment /
business area specific risks and causes

where necessary
.

3.
5

P
rison establishments

and business areas

must

use the NOMS
Information R
isk
R
egister
template

provided
,
which contains the following information




a description of each risk expres
sed in terms of the potential or actual compromise
associated with the risk and the cause (threat and vulnerability),



an indication of the I
nformation
A
ssurance (IA)

controls already in place to
remediate each risk,



a rating that reflects the likelihood of

the risk being realised and is typically
expressed in terms of the ‘score’ assigned by the risk assessment method used,



A rating that reflects the business impact associated with the threat being realised is
typically expressed in terms of the ‘score’

ass
igned by the risk assessment
process,



a description of the IA controls that the business group has or plans to
implement to
further
control

the risk (together with any additional actions or contingency
arrangements that lessen the business impact if the ri
sk is realised), and



a target date for implementing propose
d IA controls or other plans to reduce
the risk
further.



A target rating that reflects the score following the implementation of the further
controls


G
uidance on completing a risk register
can be
found in
Annex B



An Excel version of the Risk Register template can be downlo
aded from the IPA team’s
intranet pages
.






UNCLASSIFIED

PAGE
5


PSI 16/2012


AI 04/2012

UNCLASSIFIED

ISSUE DATE
03
/0
5
/2012

3.6

Escalating the Risk


If a risk hits a certain

score


it must be escalated to a specific management level
. If a risk
is given a
collective impact/likelihood score of 9 or above, or an existing risk being
managed at
establishment
level whose collective score for impact and likelihood
is/becomes 9 or above,
it
must

be escalated to the NOMS SIRO via the IPA Tea
m.
The
NOMS IPA team can be contacted on
informationassurance@noms.gsi.gov.uk

or on 0300
047
659
0.


3.7

It is unlikely that a risk
with a
score of 15+ will be identified in either prison establi
shments
or headquarters
groups
that

has not already been identified

and included in the overall
NOMS Information Risk Register
.
H
owever any new/existing risks wh
ich are identified as
having a score
of 1
5

or above
must

be escalated to the

MoJ

SIRO Board

by

the IPA team.

Further g
uidance on escalat
ing risks

to the appropriate level
can be found in
Annex B

3.
8

The
A
nnual Information and Assurance
C
ompliance
S
tatement required under PSO 9025

-

Archiving Retention and
Disposal

incl
udes a statement giving assurance that your Risk
Register is in place. The return must
be
completed and sent electronically to the NOMS
IPA

team

at
informationassurance@noms.gsi.gov.uk

by 31 Mar
ch

each year
.



4.

Business Continuity Planning



4.1

The purpose of business continuity is to create the conditions that ensure a business can
continue to operate even after an event that denies it access to its assets and information:
this could be a ser
ver failure, a power cut, a fire or any other catastrophic event.


4.2 To ensure business continuity is maintained across NOMS a
ll prison establishments must
have in place a Contingency

Plan

for the loss of Prison NOMIS. The Governor/IAO is
responsibl
e for contingency plans wit
hin their establishment and must

nominate suitable
personnel for undertaki
ng tasks identified in the plan. Whilst HPES will be responsible for
managing the resolution of the disruption
,

it is

the responsibility of the I
A
O

to mak
e sure
that all staff are aware of the contingency plans
and have enough knowledge to implement

them
.



4.
3

It is important that IAOs

in both establishments and headquarters

identify their

local

'vital
records'. These ar
e information assets that are not h
eld on the Quantum system but

have

been identified as

essential for the continuation of
NOMS operations if, for example
,

stand
alone IT systems

and /
or paper records

cannot be accessed
.


4.4

The plan
must

identify proposals for the recovery of busi
ness critical activities promptly and
efficiently and
include proposals for
the
protect
ion of

local ‘vital records’ and NOMS
information assets.



4.4

For

guidance on putting in place suitable business continuity and contingency plans

for ICT
systems
prison establishments

may wish to

consult with MoJ

ICT
.



4.5

For staff in headquarters and regional offices
PSO 1401 Para 1.2
-

Business Continuity
Management Manual

provides guidance on business continuity planning.



5
.

Physical
and Personnel Secur
ity



5
.1

Physical Security

-

Security managers
in prison establishments

and headquarters buildings

must

assess any physical security risks that affect the sites and environments in which ICT
-




UNCLASSIFIED

PAGE
6


PSI 16/2012


AI 04/2012

UNCLASSIFIED

ISSUE DATE
03
/0
5
/2012

based and paper
-
based information systems reside. They must ensu
re that
IAOs

(and ICT
accreditors) are made aware of any assessed risks that affect them.


5
.2

Personnel security

-

All staff must have the appropriate
level of checking or ‘vetting’ need
ed
to assure the reliability of
each employee (including contractors
) according to the sensitivity
of the information that

the

member of staff

has regular access

to

and the business impact
that might arise if that employee discloses this information without authority.

Refer to
AI
24/2010 or
P
S
I2010/43



Security Vetting
f
or more information.


6
.

Delivery Partners
and Third Party Suppliers


6
.1

NOMS Delivery Partners

and Third Party Suppliers

must identify and
manage

risks to all
NOMS information assets

that they have access to and/or control of
, including escalating
them v
ia the necessary channels as outlined in this policy (via the IAO, the IPA Team and
NOMS
SIRO).


6
.2

Any significant risks relating to NOMS information must be raised with the relevant point of
contact and if required the relevant IAO, as outlined in this
policy.



Any enquiries regarding the instructions contained within this policy should be directed to The

NOMS

IPA team at

informationassurance@noms.gsi.gov.uk

or
on

0300 047 659
0.








(approv
ed for publication by:)





Martin Bellamy,

NOMS Senior Information Risk Owner

(SIRO)

Director of
Change and
ICT
, NOMS





UNCLASSIFIED

PAGE
7


PSI 16/2012


AI 04/2012

UNCLASSIFIED

ISSUE DATE
03
/0
5
/2012



Annex A

Roles and Responsibilities


1.

MoJ
SIRO Board;

SIRO means Senior Information Risk Owner. The Board is composed of
all of the

MoJ’s Business Group SIROs and Executive Agency SIROs. The Board is
chaired by the MoJ SIRO.


2
.

NOMS Senior Information Risk Owner (SIRO);

The NOMS SIRO has overall responsibility
for all NOMS information assets in NOMS Headquarters and prison establis
hments. The
NOMS SIRO sits on the SIRO Board and provides assurance that all information asset
owners in NOMS are following their responsibilities.


The NOMS SIRO
is the NOMS CICT Director; they are

the focus for the management of
information risk at Boa
rd level
, are

familiar with information risks and
would
lead the NOMS
response

in the event of a major data incident
.


3.

Information Asset Owners (IAOs);

are usually

governing g
overnors or heads of group

but
may be other

senior
managers

involved in running

the relevant

business area. T
hey are
responsible for the day to day use
as well as the

risk management of their information
asset,
and

supporting the
NOMS
SIRO in carrying out their duties.


IAOs identify and manage information risks associated with the

particular NOMS
Information Asset(s) they are responsible for. Their role is to understand what information
is held, what is added and removed, and who has access and why as well as ensuring that
information is fully used within the law for the public go
od, and providing written input
annually to the NOMS SIRO on the security and use of their asset.

IAOs

are also
responsible for ensuring that appropriate business continuity plans are in place for their
prison establishment or business area.



IAOs are re
sponsible for implementing this information risk
management
policy in their
respective business areas, and for regularly reviewing the policy. To this end the IAOs are
responsible for making sure their business areas, and the delivery partners and third p
arty
suppliers with whom they work, have in place the arrangements needed to implement
and
maintain an effective information risk management

policy.


The IAO may
wish to
appoint Information Asset Custodians to work on the
ir

behalf, taking
day to day oversi
ght of assets and reporting back to the IAO on the changes to
r
isks.



Further information about the role of the IAO can be found in Appendix 1 of PSO 9015
-

Information Assurance.


4.

Information Asset Custodians (IAC)

are involved in the day to day use a
nd management of
information assets in a particular area, they will be appointed by the IAO to have
responsibility for overseeing and implementing the necessary safeguards to protect the
information assets and report back to the IAO on any changes to risks
. The IAO will retain
the overall responsibility.



5.

The Information Policy and Assurance (IPA) Team

is based in the Change and Information
Communication Technology Directorate (CICT). The team aims to provide information
management to deliver business

benefits and efficiency savings, reduce information risk
and facilitate compliance with information legislation.



Its role is to enable, monitor and develop Information Assurance Maturity and Compliance
within NOMS. The team also owns and maintains the N
OMS Information Risk Register and
provide
s

written advice to the NOMS SIRO on the security and use of NOMS assets.





UNCLASSIFIED

PAGE
8


PSI 16/2012


AI 04/2012

UNCLASSIFIED

ISSUE DATE
03
/0
5
/2012


Annex B



Information Assurance Risk Management Process

Risk management is an iterative process. It encompasses the following stages: Risk
Identification, Risk Assessment, Risk Monitoring and Escalation.

A
Risk Register that provides enough information to explain risk management decisions
will enable the IAO to monitor and manage the risks within their business group.

A
partially
completed r
isk registe
r template that you
may wish to

amend to fit your
business group can be found in
Annex D
.
The draft has been
provided

to
help you to
prepare your
l
ocal document
.

I
n order to complete it you will

need to look at the

information in each column and consider
the extent to which it is true in your location

and provide an appropriate risk rating
.

You
must

include any additional risk
descriptions
with establishment / business area
specific risks
,
causes

and mitigating ac
tions and also include the possible consequences of
the risk being compromised

where necessary
.


An Excel version of the Risk Register template can be downloaded from the
IPA

Team’s
intranet pages
.


Stage 1
-

Risk Identification:


1.1

Situations where r
isks must be identified may take many forms, for example:



P
reparation to develop a new Information

Communication Technology (ICT)
based
or paper
-
based information system,



R
egular review under ‘business as usual’ arrangements for maintaining IA, and



W
ork to

address a change of requirement.

1.2


The starting point in these examples is risk analysis: being clear on what information
assets fall within scope of the assessment and the importance of those assets to the
business (or the impact of loss of confidenti
ality, integrity or availability).


1.3


Each prison establishment
or business group
will
already
have an Information Asset
Register in place, this
can

be used to

help to

identify the different types of information
assets held and
to
provide
direction

on
the risk to the organisation that a loss /
compromise of that asset would have.

Some examples of information assets are:



Staff and HR Details



Official Correspondence



Prisoner records and reports



Financial budgetary information



Litigation or caseworking fi
les

1.4

Once you have considered the information assets that might be at risk you need to identify
the ‘risk description’ which is the form that the compromise / loss might take.
The
following

suggestions
are

some of the
factors

that you might want to con
sider
as

risk
descriptions


when completing your
own
register
, this list is only for guidance and you
might identify different

or additional

risks that are more appropriate in your
own
business
area
:



Inappropriate disclosure of personal material





UNCLASSIFIED

PAGE
9


PSI 16/2012


AI 04/2012

UNCLASSIFIED

ISSUE DATE
03
/0
5
/2012



Theft, lo
ss or unauthorised access to information (
paper records should be
considered as well as
electronic and systems)



Ineffective or insecure information sharing



Records retained for the wrong length of time



Failure to create or locate reliable records as eviden
ce of business decisions and
activities



Poor management of information risk



Stand alone IT systems that are not supported through Quantum

1.
5

Once
you have identified the
‘risk description’
, the next step is to identify the organisations,
people or events
that pose a threat to
your

information assets.

The following are just a
few of the possible causes of information loss / compromise

but you need to consider
which of these are true in your business area and

update the Risk Register to reflect this
:



Lack o
f awareness and training



Absence of information sharing agreements



Password sharing



Documents sent to incorrect address or lost/compromised during transmission



Dishonesty



Inappropriate storage



Records retained unnecessarily result in large volumes of data
to be searched.



Unavailability of business continuity plans

1
.6

An important part of the risk identification process for IT systems is through the
accreditation process. Further information on this process can be found in
PSO 9010
-

IT
Security.

Stage 2
-

Assessing the Scale of Risk:


2
.1

Assessing a risk involves evaluating two factors,
these are
:

The

Impact

to the organisation

w
h
ere
the compromise/loss

to occur
, and

The
Likelihood

of
the risk being realised,

taking into account the working
environment an
d
past experience.


2.2

The assessment of these factors helps
you to decide on
the overall severity of each risk,
this means that they

can
be prioritised and resources focused on the most serious.


2.3

The table below illustrates what sco
re is attached to

each level for both
impact and
likelihood. Once
you have decided on the
score
s

they are multiplied
together
to give the
overall risk score.


2.4

For example:



A risk is determined to have a ‘significant detrimental effect in the long term’ would
have a
score of High (4).



It is then judged the likelihood of this occurring is unlikely giving a score of Low (2).



This is multiplied to give a total risk score of 8.




This score is then used to determine if the risk needs escalating.






UNCLASSIFIED

PAGE
10


PSI 16/2012


AI 04/2012

UNCLASSIFIED

ISSUE DATE
03
/0
5
/2012


Scale

IMPACT

LIKEL
IHOOD

5

Very High

Prevents achievement of
NOMS

objective
s

or
has
highly

damaging impact
on
NOMS
operatio
nal
effectiveness or reputation
.
.

> 80 %

Almost
Certain

4

High

Significant detrimental effect on achievement of
NOMS
corporate
objective
s

in the

longer term.

National media criticism.

51


80 %

Probable

3

Medium

Impacts at local level on elements of efficiency, output
and quality which impacts on the

outcome of long
term
NOMS
corporate
objective
s
.

Potential for
negative l
ocal media coverage

21



50 %

Possible

2

Low

Impact

at local level

on

short term goals within the
ir

objective
s

without affecting long term achievement

of
NOMS

corporate objectives
.

6


20 %

Unlikely

1

Very Low

Minor and containable impact on achievement of
local
(establishme
nt / business area)
objective
s
.

< 5 %

Very Unlikely


Risk scores can be shown on a matrix:


Risk
A
:
Very High

Impact (5), and
High

Likelihood (4), giving a score of 20;

Risk
B
:
High

Impact (4
), and
Medium

Likelihood (3), giving

a score of
12
;

Risk
C
:
Low

Impact (2), and
High

Likelihood (4), giving a score of 8.



2.5

The risk scores are used to decide if the level of risk is acceptable, or if further action

to
mitigate

is required, (e.g. controls, escalation and/or contingency p
lans).



Stage 3
-

Managing the risk:


3.1

There are generally four options that the IAO
must

consider when deciding how to manage
the identified risk
.








UNCLASSIFIED

PAGE
11


PSI 16/2012


AI 04/2012

UNCLASSIFIED

ISSUE DATE
03
/0
5
/2012

3.2

The first one is ‘t
reating the risk’
which is done by
applying one or more I
nformation
A
ssu
rance

controls to reduce the likelihood of the risk being realised or lessen the impact
if the risk is realised.

Examples of these controls could be:



Implementing the mandatory actions in PSO 9015


Information Assurance



Implementing the mandatory actions

in PSO 9025
-

Archiving Retention and
Disposal



Using the Government
P
rotective
M
arking
S
cheme



Investigation of incidents and lessons learned



Training and awareness



Putting in place suitable business contingency plans


3.3

The second option is

removing

t
he risk’
, this is done by
finding another way to achieve a
business objective; for example returning protectively marked documents to the originating
department rather than storing them within NOMS.


3.4

Another possible option to consider is

t
ransferring

the risk’ by outsourcing services. It is
important to recognise that even if it is possible to transfer responsibility for managing a
risk to an organisation other than NOMS, the consequences of a risk will rest wherever the
business impact associated wit
h it being realised is felt
.

The legal basis for sharing
information and appropriate contractual provisions and arrangements to ensure
compliance with control requirements must be in place.


3.5

Finally the IAO could decide that

t
olerating the risk’

is the m
ost appropriate action. This is
usually done
where
:



the financial cost of mitigation is too great,



where the likelihood of the risk being realised

is low,



where
the impact
on the organisation
if the risk is realised is low or else



where t
he business be
nefit is high.
































Stage 4


Monitor and Escalate:


4.1

An ongoing programme of periodic monitoring, inspection and testing
is required
which
validates and provides evidence that the IA controls us
ed to manage risks remain
effective.


4.2

An

an
nual Information and Assurance C
ompliance
S
tatement

is

required under PSO 9025

-

Archiving Retention and Disposal
,
the statement
must be completed on an annual basis

and

includes a statement giving assuranc
e that your Risk Register is in place.


4.3

In addition to

this

the IAO
must

carry

out a quarterly review of the information

risks.

As
well as existing risks that have already been identified, the review
must

also consider
forthcoming potential chan
ges in services, technology and threats.

Reviews

must

be
discussed at local SMT level and minuted
.



4.4

Where the risk relates to ICT
-
based information systems: Business groups
must

use H
er
M
ajesty’s
G
overnment
’s

(HMG)

accreditation process to assess, tr
eat, validate and verify
risk to all ICT
-
based information systems on which their business operations depend
.

For
further information on the accreditation process or to determine whether the ICT system is
an accredited system please contact a member of th
e MoJ ICT team.


4.5

If a risk hits a
certain score it must be escalated to a specific management level. This is
set out below;




Very
High


(I/L
20
-
25
)

MOJ Board
via the Corporate Risk Register



High



(I/L15

-

19
)

SIRO Board

through the
NOMS
IPA Team



Med




(I/L 9
-

1
4
)

NOMS SIRO

through the NOMS IPA Team






UNCLASSIFIED

PAGE
12


PSI 16/2012


AI 04/2012

UNCLASSIFIED

ISSUE DATE
03
/0
5
/2012



Low


(I/L 5

-

8)

Information Asset Owner



V. Low


(I/L
1

-

4
)

Can be managed at Business Group level



4.
6

How does it work in practice? The description below illustrates the step by step

process.




Step 1

(Risk registration)

-

Any new risk which has a collective impact/likelihood
score of 9 or above, or an existing risk being managed at Business Group level
whose collective score for impact and likelihood is/becomes 9 or above,
must

be
es
calated to the NOMS SIRO via the
NOMS
IPA Team

at

informationassurance@noms.gsi.gov.uk

or by telephone on 0300 047 659
0
.




Step
2

(Risk acceptance)

-

The NOMS SIRO will review any proposed new
risks
and make a decision on whether to accept, reject or transfer the risk to a new
owner. The NOMS SIRO will also agree that the scoring is appropriate, the
mitigating actions, target dates and risk owner.




Step

3

(Escalation to SIRO Board)

-

It is un
likely that a

risk score of 15
+ will be
identified in either prison establishments or headquarters
groups
that

has not
already been identified

and included in the overall NOMS Information Risk
Register, however any n
ew/existing risks which

are identified a
s
hav
ing

an
impact/likelihood score of 1
5

or above will be escalated to the SIRO Board

who will
consider whether the risk should be escalated to the Corporate Risk Register
(generally a score of 20
-
25)
and if appropriate the Corporate Risk Team will notify

the Departmental Board.


These risks will require an accompanying actio
n plan (or risk treatment plan)

setting out in detail the full risk, the controls in place, the proposed mitigating
controls and a detailed timeline to completion. Additionally, SIROs
will be required
to provide updates on these significant risks.




Step
4

(Closure)

-

Risks
with a score of 1
5
+
which are tabled for closure will need
to go to the
SIRO

Board with an accompanying closure report (which may be an
updated action plan, outlini
ng all of the mitigations which are in place, the target
score which has been achieved and any residual risk).


4.
7

It is worth remembering that when risks are escalated and assessed at the next
management level, that the level of impact is likely to be mo
derated as objectives and
responsibilities widen. Therefore, a risk identified at
local

level may often (although not in
all cases) have a lower impact upon the
overall NOMS business
objective.







UNCLASSIFIED

PAGE
13


PSI 16/2012


AI 04/2012

UNCLASSIFIED

ISSUE DATE
03
/0
5
/2012

Annex C


Reviewing t
he
information
Risk Register


1.1

IAO
s
must

review information risks on a quarterly basis and, where appropriate, escalate
any risks to the Information Policy and Assurance (IPA) Team.

At each review consider if
existing risks are still relevant,
achieve
the same score and if new risks have
emerged.
Even where risks remain the same, it is likely that controls and contingency plans will
require updating


1.2

Where an operationally significant risk has been identified the IAO will need to describe
the mitigating actions that will be
p
ut in plac
e and then assess the residual risk rating,
taking into account the additional measures that are being proposed.
When the review
of
the Ri
s
k Register
is carried out the IAO
must

take into account
when the mitigating actions
have

been
carried out

so they c
an be ent
ered onto the register as control measures

(Annex D)


1.3

As well as existing risks that have already been identified, the review
must

also consider
forthcoming potential changes in services, technology and threats
.

.







UNCLASSIFIED









PAGE
14


PSI 16/2012


AI 04/2012






UNCLASSIFIED







ISSUE DATE
03
/0
5
/2012






Annex
D


Information Ri
sk Register

Information Asset Owner
…………………………………………………………………………………………

































HMP
/Business Group

……………………………































Risk ID

Risk Description

Controls:

In Place and Active

(Transfer to Controls Proposed
/
planned column where Controls are
not currently in place)

Last Period

Current

Controls:

Proposed / Planned

(incl. Date/Action Officer)

Target

Risk
Owner

Control
Owner

I

L

I

L

I

L

Date

1

Risk
(Event)

Inappr
opriate Disclosure of personal
data

Compliance with PSO 9015
-

Information
Assurance,


Obtaining guidance and support
regarding
incident management
from Information
Assurance Team,


L
ocal Information Sharing Agreements
(
Identify local agreements here if
they are
in place)


Annual Information Assurance Training

-

(enter current completion rate)


IA Audit compliance

(enter current
score)


Identified IA roles in place

(IAO,
Custodian, LIM, IAR)









Additional Action

100% Annual level 1 information
assu
rance training completed for
all staff by 31 March /

Action:



IAO Reference Guide read by IAO
and recorded in
annual

compliance
statement

Action:



Information Assurance Audit
compliance by…………..

Action:









Cause(s)

Lack of awareness training,

Absence of Information Sharing
Agreements (IS
As),

Requests to a
ccess
i
nformation are not
escalated to
I
nformation
A
sset
O
wner,

Failure to check contents of disclosure,

Failure t
o follow Government Protective
M
ar
king Scheme (GPMS)

Effect(s)

Serious and unwarranted damage and
distress to individuals

Breach of DPA and infringement of privacy

Regulatory, court action or financial
penalties

damage to reputation and integrity

Cost and resources required
to investigate






UNCLASSIFIED









PAGE
15


PSI 16/2012


AI 04/2012






UNCLASSIFIED







ISSUE DATE
03
/0
5
/2012






2

Risk (Event)

Theft, loss or unauthorised access to
information (electronic and systems
related

Compliance with PS
O

9010
-

IT Security


Compliance with PSO 9020


Data
Protection, FOI


Compliance with PSO 9015


Information Ass
urance


Implementation of the Government
Protective Marking Scheme


Only laptops, Blackberrys and USB
memory sticks encrypted to HMG
standards will be used


Annual Information Assurance training
(enter current completion rate)


Regular data backups are car
ried out and
up to date backup logs are kept









Additional Action

Data Loss Reporting guidelines
issues to all staff by……….

Action









Cause(s)

Inadequate access and permissions
management

Password sharing

Poor information asset management

Disho
nesty

Emails sent to wrong address or lost
compromised during transmission

Non
-
Quantum IT breaches security
requirement
-

i.e. 5x5 data transfers and
backups

Inadequate business continuity planning

Effect(s)

Serious and unwarranted damage and
distress to individuals

Breach of DPA and infringement of privacy

Regulatory, court action or financial
penalties

damage to reputation and integrity

Cost and resources required to investigate

Cost of recreating / retrieving information




3

Risk
(Event)

Theft, loss or unauthorised access to
information (paper based)

Compliance with PSO 9010
-

IT Security

Compliance with PSO 9020


Data
Protection, FOI


Compliance with PSO 9015


Information Assurance










Additional Action

Data Loss Reporting guidelines
issues to all staff by……….

Action











UNCLASSIFIED









PAGE
16


PSI 16/2012


AI 04/2012






UNCLASSIFIED







ISSUE DATE
03
/0
5
/2012






Cause(s)

lack of awareness of failure to follow
protective marking or i
nappropriate
classification

Documents stored in damp conditions and
damaged beyond repair

Documents not filed correctly and not
available to be retrieved

Dishonesty / sabotage

Carelessness

Clear desk policy not enforced

Documents posted / faxed to wrong ad
dress
or lost / compromised during transmission

Implementation of the Government
Protective Ma
rking Scheme


Annual Information Assurance training
(enter current completion rate)

Effect(s)

Serious and unwarranted damage and
distress to individuals

Breach of DPA and infringement of privacy

Regulatory, court action or financial
penalties

damage to reputation and integrity

C
ost and resources required to investigate

Cost of recreating / retrieving information




4

Risk (Event)

Ineffective or Insecure Information
Sharing

Compliance with PSO 9015
-

Information
Assurance,


Obtaining guidance and support from
Informatio
n
Assurance Team,


L
ocal Information Sharing Agreements
(Identify local agreements here if they are
in place)


Effective business continuity plans in
place









Additional Action













UNCLASSIFIED









PAGE
17


PSI 16/2012


AI 04/2012






UNCLASSIFIED







ISSUE DATE
03
/0
5
/2012






Cause(s)

Information sharing agreements not in place
or not
comprehensive enough

Failure to share the right information with
the right people at the right time

Shared information is not stored securely or
in line with GPMS

Shared information that is held
electronically is not stored on secure and
accredited ICT sys
tems

Effect(s)

Information used for purposes other than
those agreed

failure to disclose critical information for
offender case management

Serious & unwarranted damage and distress
to individuals

Adverse effect on prisoner discipline

Breach of

DPA and infringement of privacy

damage to reputation and integrity

Information not shred prior to the departure
of staff
-

knowledge not retained

Loss of business continuity




5

Risk (Event)

Records Retained for the Wrong Length
of Time

Complia
nce with PSO 9025
-

Archiving,
Retention and Disposal


Local Information Manager and deputy in
post


Local Information Manager and deputy
received training









Additional Action











Cause(s)

Information not covered by retention policy

lack of
awareness and motivation

Dishonesty / sabotage

Records retained 'just in case'

Records not removed from non
-
Quantum IT
systems in line with retention policy



UNCLASSIFIED









PAGE
18


PSI 16/2012


AI 04/2012






UNCLASSIFIED







ISSUE DATE
03
/0
5
/2012






Effect(s)

Breach of DPA, FOI & Public Records Act

Breach of other requirements for the

retention of records

Unnecessary cost of storage of physical and
electronic information

Inability to protect NOMS best interests in
cases of litigation because relevant records
have been destroyed

Premature destruction seen as an attempt to
prevent disclo
sure

regulatory, court or financial penalties

Damage to reputation and integrity




6

Risk (Event)

Failure to Create or Locate Reliable
Records as Evidence of Business
Decisions and Activities

Compliance with PSO 9015
-

Information
Assurance


Com
pliance with PSO 9025 Archiving,
Retention and Disposal


Effective review and destruction process
in place


Effective use of Shared Drive folders on
Quantum system









Additional Action











Cause(s)

Records not created in the first place to
doc
ument key decisions and activities

records retained unnecessarily result in
large volumes of data to be searched in
information is requested

records are not managed systematically and
electronic and physical filing is not carried
out

Effect(s)

Breach of DPA and FOI

records required for evidential purposes (i.e.
in court) will not be available

legal action against NOMS

critical information can't be found or takes
too long to find when needed






UNCLASSIFIED









PAGE
19


PSI 16/2012


AI 04/2012






UNCLASSIFIED







ISSUE DATE
03
/0
5
/2012






7

Risk (Event)

Vital records and NOMS inf
ormation
Assets lost as a Result of server failure, a
power loss, fire or any other catastrophic
event

Compliance with PSO 1400
-

Contingency planning


Effective contingency plans in place for
Prison NOMIS systems


Effective business continuity plans in
pl
ace for Non Quantum IT systems such
as SIS


Vital records are identified and identified
within local continuity plans


Desk top contingency exercise carried out
every 12 months









Additional Action











Cause(s)

Vital records not identified in
local business
continuity plan

Contingency plans are not in place for non
Quantum IT systems such as SIS

business continuity plans are not in place

Effect(s)

Vital records may be destroyed in the event
of an incident or failure

Unable to acces
s information with potential
legal & financial consequences

Significant investment required in the case
of a major incident or failure

Business continuity affected









Date
Signed Off by Information Asset Owner

………………………………….







UNCLASSIFIE
D




EIA


PAGE
1


PSI 16/2012


AI 04/2012



UNCLASSIFIED




ISSUE DATE
03
/0
5
/2012

EIA
Equality

Impact Assessment


PSI 16/2012 Information Risk Management Policy


Stage 1


initial screening

The first stage of conducting an EIA is to screen the policy to determine its relevance to the various
equalities issues. This will indicate whether or not a f
ull impact assessment is required and which
issues should be considered in it. The equalities issues that you should consider in completing this
screening are:



Race



Gender



Gender identity



Disability



Religion or belief



Sexual orientation



Age (including youn
ger and older offenders).


Aims

What are the aims of the policy?

This policy sets out NOMS commitment to the management of information risk. It
also sets out what prison establishments, private prisons, headquarters groups, their
‘delivery partners’ and
third party suppliers should do to manage information risk.


Effects

What effects will the policy have on staff, offenders or other stakeholders?

This policy supports the NOMS strategic aims and objectives and should enable
employees throughout the organ
isation to identify an acceptable level of risk and,
when required, use the correct risk escalation process.

Evidence

Is there any existing evidence of this policy area being relevant to any equalities issue?

Identify existing sources of information about

the operation and outcomes of the policy, such as operational
feedback (including local monitoring and impact assessments)/Inspectorate and other relevant
reports/complaints and litigation/relevant research publications etc. Does any of this evidence poin
t towards
relevance to any of the equalities issues?

There is no existing evidence that this policy area has relevance to any equalities issue

Stakeholders and feedback

Describe the target group for the policy and list any other interested parties. What
contact have
you had with these groups?

Governors, Directors of contracted prisons, Heads of Groups and Information Asset
Owners have a specific interest in this policy. All senior managers and information
asset custodians should be aware of the policy.
Consultation has been carried out with
a sample group of Information Asset Owners, MoJ ICT and IA, PAG and Unions.




UNCLASSIFIE
D




EIA


PAGE
2


PSI 16/2012


AI 04/2012



UNCLASSIFIED




ISSUE DATE
03
/0
5
/2012

Do you have any feedback from stakeholders, particularly from groups representative of the
various issues, that this policy is relevant to t
hem?

No feedback has been received from stakeholders

Impact

Could the policy have a differential impact on staff, prisoners, visitors or other stakeholders on
the basis of any of the equalities issues?

The policy is designed to ensure that information ri
sks are managed consistently across
prison establishments and headquarters. It will not therefore have a differential impact
in staff on the basis of any equalities issues.

Local discretion

Does the policy allow local discretion in the way in which it is

implemented? If so, what
safeguards are there to prevent inconsistent outcomes and/or differential treatment of different
groups of people?

The mandatory policy
must

be followed with regard to the completion of the
Information Risk Register and the compli
ance statement. The Information Asset
Owner (IAO) will need to spend time monitoring and reviewing local processes and
the local management plan may differ from business area to business area. However
this will relate to the risk management of informatio
n assets and not the management
of staff or offenders

Summary of relevance to equalities issues

Strand

Yes/No

Rationale

Race

No

The instruction applies to the risk management
of information assets and not the management of
staff or offenders

Gender (in
cluding
gender identity)

No

As above

Disability

No

As above

Religion or belief

No

As above

Sexual orientation

No

As above

Age (younger offenders)

No

As above

Age (older offenders)

No

As above


If you have answered ‘Yes’ to any of the equalities issue
s, a full impact assessment
must
be completed. Please
proceed to STAGE 2 of the document.


If you have answered ‘No’ to all of the equalities issues, a full impact assessment will not be required, and this
assessment can be signed off at this stage. You wi
ll, however, need to put in place monitoring arrangements to
ensure that any future impact on any of the equalities issues is identified.




UNCLASSIFIE
D




EIA


PAGE
3


PSI 16/2012


AI 04/2012



UNCLASSIFIED




ISSUE DATE
03
/0
5
/2012

Monitoring and review arrangements

Describe the systems that you are putting in place to manage the policy and to moni
tor its
operation and outcomes in terms of the various equalities issues.

There is no evidence that equalities issues are relevant to the implementation of this
policy. The policy will be managed through a network of Information Asset Owners
(IAOs) in pri
son establishments and headquarters. Compliance will be formally
monitored through submission of the compliance statement.

State when a review will take place and how it will be conducted.

A review will take place when the Instruction is reviewed, fol
lowing a change in
legislation or if evidence comes to light which indicates that equalities issues need to
be raised.



Name and signature

Date

Policy lead

Clare Lewis

17 Nov 11

Head of group

Paul Duffin

17 Nov 11