CPS SECURITY & INFORMATION RISK MANAGEMENT POLICY CPS SECURITY & INFORMATION RISK MANAGEMENT POLICY

Transcription

1 CPS SECURITY & INFORMATION RISK MANAGEMENT POLICY Version 1.0

2 CONTENTS Security Risks 3 Information Assurance Risk 3 Spreading Best Practice 3 Reporting Risks Upwards 4 Typical Risk Escalation Routes.. 4 Process.. 4 Risk Tolerance Prohibited Risk Areas 5 Security and Information Management Risk Key Roles and Responsibilities 6 CPS Board 6 Board Objectives. 7 Role of the SIRO 7 Role of the SIMG. 7 Standards and Compliance 8 The development and availability of the right products and services 8 Improved professionalism across all areas of the IA sector 9 Leadership..9 Delivery..9 Implementation and Maintenance.10 2 Version 1.0

3 Crown Prosecution Service Risk Management: Policy Statement Security Risks Security risks and external threats to the safety and security of CPS staff and all people visiting its premises; its information, facilities and operational capability will be assessed in accordance with policies, procedures and responsibilities set out in the departmental Security Manual. Additional assessments of threats and the appropriate response will be determined from time to time by the Departmental Security Officer (DSO) and Chief Executive (CEO) following central security guidance. Information Assurance Risk CPS policy is to integrate information risk management into existing business and project risk as far as possible. Specific threats are managed via our ISO assurance programme. Additional assessments of threats and the appropriate response will be determined from time to time by the DSO, Chief Information Officer (CIO) and the departmental Senior Information Risk Officer (SIRO). Spreading Best Practice We will foster a culture of spreading best practice, the lessons learnt, and the expertise acquired from our risk management activities across CPS. We will do this by providing: Direct feedback from quality assurance and Area Performance Reviews undertaken by the Corporate Risk Management Advisor; Reviewing and Analysing results from the Annual Certificate of Assurance (which contains specific questions related to the current 3 Version 1.0

4 measures and controls in place in relation to Security and Information Management) Maintaining a statement of best practice standards; The creation, maintenance and annual training (delivered by the centre) of the IMA. Providing relevant, bespoke and up to date guidance on all aspects of security and information assurance best practice guides, advice and hints and tips on the CPS Infonet. The establishment and ongoing improvement of an Information Management Unit which incorporates the following skilled and experienced staff: Combined Departmental Security and IT Security Unit. Data Protection and Freedom of Information Unit. All units are headed up by a designated senior manager responsible for overseeing all security and information management risks and reporting progress into the SIRO. Promoting bespoke security and information management training to managers at all levels. Reporting Risks Upwards When security and / or information management risks materialise or cannot be managed down to an acceptable level, risk owners should ensure that these are reported to the next level of management. The table on the following page shows typical escalation routes. 4 Version 1.0

5 The Corporate Risk Management Advisor will help risk owners to identify unmanaged Area and HQ Directorate risks for escalation through the ongoing review of risk registers and will assess whether activities remain within the CPS risk tolerance level. Typical Risk Escalation Routes Overall Risk Owner Escalate Through Escalate To Corporate Risks Directors Group (DG) CPS Board HQ Directors Corporate Risk Management Advisor/ CPS Board DG DSO / Head of IMU / Security Information Management CPS Board SIRO Group CCP Chief Operating Officer CPS Board HQ Heads of HQ Director/ Corporate Risk DG Division Management Advisor Project Managers Project Board/ DG CPS Board Unit Heads Area Management Team Group Chair/ CCP Process Risks will be systematically identified and objectively assessed. The CPS risk management process is outlined in CPS Risk Management: a Practical Guide; available on the CPS Infonet. CPS Risks will be managed and recorded using formal risk registers and the departmental risk appetite is recorded in the Annual Resource Accounts. Good internal control in operational systems and processes is an integral part of risk management. The existing framework of internal control manages many generic systems risks. The framework of internal control includes: The establishment of policies, standards, processes and procedures; The clear definition of responsibilities; 5 Version 1.0

6 Measurements of resources used against the achievement of objectives and outcomes delivered; Performance management; Financial and budgetary controls. To underpin the framework of internal control, risks to business critical systems and all security and information management processes should be identified, assessed and managed by local management supported by the designated Information Management Advisor (IMA). The Information Asset Owner (IAO) in each HQ Directorate and Area retains ultimate responsible for the management of all security and information management risks within their HQ Directorate / Area. Risk Tolerance Risk Tolerance is the total amount of risk that the CPS or business unit is prepared to accept at any point in time. It is used to as a guide to help decide whether it should take on additional risks (i.e. an additional major change initiative or project). It can also be used to define the level of exposure deemed to be acceptable when managing down individual risks. The Board sets the Service s overall risk tolerance. One of the ways it uses to constrain the department s overall exposure to risk is to set authority limits for managers within its policies, processes and governance structure. Risk tolerance may vary over time, different risk type or between different business units. It is a subjective judgement. However, risk tolerance within CPS should reflect these key principles: The Director, Chief Executive and the Board encourage the taking of controlled risks in pursuing new opportunities and the use of innovative 6 Version 1.0

7 approaches. In broad terms the Service has demonstrated a fairly high tolerance for taking on additional risks. Prohibited Risk Areas CPS policies and guidance manuals define where there are mandatory processes and procedures. Compliance with these standards is required and non-compliance with prescribed procedures constitutes an unacceptable risk. Some risks are acceptable provided the prescribed CPS process is followed (e.g. expenditure proposals, staff recruitment, specific CPS Security and Information Management guidance / processes) and designated responsibilities/ delegated authorities are adhered to. Headquarters Directors, CCPs and ABMs may take risk management decisions on the basis of their delegated financial authority and their devolved responsibilities and accountabilities. 7 Version 1.0

8 Security and Information Management Risk Key Roles and Responsibilities Error! Objects cannot be created from editing field codes. CPS Board The CPS Board is chaired by the Director and its members are the Chief Executive, Chief Operating Officer, Finance Director, and four non-executive directors. The Board's non-executive Directors provide an external challenge and perspective on CPS work and specific expertise to the discussions. The Board is collectively responsible for delivering the CPS Vision, underpinned by the corporate strategic objectives. The Board does this by:- Providing clear direction and visible leadership; Communicating the Vision and strategic objectives to all CPS staff; Monitoring and driving performance improvement; Working with partners to develop opportunities to improve efficiency across the Criminal Justice System; Setting the Service s risk appetite and owning the corresponding risk register Board Objectives for 2012/13 To realise the CPS Vision, the Board's work programme will be guided by five priorities this year: 1. Identifying and managing the strategic challenges and risks to the organisation; 2. Ensuring Driving full implementation of our People Strategy and improved Employee Engagement Index; 3. Embedding effective digital working across the CJS; 4. Ensuring delivery against our Core Quality Standards and performance improvement across all other key indicators; 8 Version 1.0

9 5. Ensuring effective allocation and management of the CPS' staff and financial resources. Role of the SIRO The key role of the SIRO, who also holds the role of Chief Operating Officer, is to ensure that the direction of the Security and Information Management Programme is aligned with the business Role of the Security Information Management Group (SIMG) The strategic outcomes will be achieved by focusing on the following three key objectives. These will have important implications for the way that CPS does its business. Objective 1: Clear and effective information risk management. Clear board-level ownership and accountability for information risks; and Where information is shared, a single point of risk ownership will be identified. Objective 2: Agreement upon and compliance with approved and appropriate Information Assurance (IA) standards CPS will operate within a national framework of IA common standards; and Trust and confidence in the use of information will be maintained through an effective model of compliance with these standards. Objective 3: The development and availability of appropriate IA Capabilities. CPS will work more closely with wider government and its ICT suppliers in the development of IA Capabilities to enable the better management of information risks; and 9 Version 1.0

10 These capabilities include: availability of the right products and services; coordinated and appropriate efforts on innovation, improved professionalism and awareness. Standards and Compliance A national framework of IA Standards provides CPS with the confidence that we are managing information risks appropriately. Establishing confidence and trust lies at the heart of enabling effective and responsible information sharing. These standards will define a segmented model for information and information system requirements. Systems will operate within one of a number of broad segments, according to the level of impact that failure of the information carried on those systems would have. Segments will be informed by impact levels based upon the Government s designated Infosec Standards. Within each of these segments, the level of IA achieved by adherence to the segment s IA standards will be broadly comparable. However, the balance of adherence to various types of IA standard may differ within the segment depending upon the user s IA specific requirements and risk appetite. For example, CPS may choose to apply a higher standard than the minimum within the segment, if one element of IA (e.g. confidentiality) is of particular importance. Where CPS has systems that lie within more than one segment, it will need to determine whether to enable full connectivity between the segments, in the wider context of business planning and delivery considerations. These common standards will provide a level of confidence when connecting systems or sharing information with other organisations within the same segment. In the context of Shared Services, for example, this will mean that CPS will be able to assure itself that shared information will be appropriately managed by other organisations. To ensure that the standards remain relevant, they will need to be responsive to rapidly evolving business needs. The delivery approach will set out how work to develop an appropriate set of IA standards and a compliance model is to be taken forward. 10 Version 1.0

11 Information Assurance Capabilities In order for CPS to be able to own and to manage its information risks to the appropriate standards, CPS will require appropriate IA Capabilities. These capabilities describe the IA elements that should be embedded within all parts of everyday business processes. CPS will engage with its ICT suppliers and wider government to ensure that knowledge and best practice is shared wherever possible in the delivery of these capabilities. The Development and Availability of the Right Products and Services CPS has adopted the Information Assurance Maturity Model for assuring confidence in the development of products and services. The model will help to ensure that IA is effectively and consistently embedded within ICT products as an ongoing through-life activity, beginning at the earliest design stage and continuing throughout the usage stage. As part of this approach CPS will look to: Develop improved operational assurance capability; Establish and operate a clear model for the provision of IA advice and services to stakeholders; and Exploit the investment in the present IA technical programme to embrace a wider range of IA products, while retaining primary focus on the needs of CPS and high threat areas of activity. Improved Professionalism across All Areas of the Information Assurance Sector Greater professionalism across the IA community is an important part of ensuring that staff within CPS are able to implement the approach set out in this Strategy. Government efforts to establish an Institute of Information Security Professionals (IISP), InfoSec training and an Accreditors Forum provided a useful start. Every effort will be made to ensure that IA 11 Version 1.0

12 professionals are given the same recognition and training opportunities as those within the Government IT Profession. At the same time other staff such as senior managers, IAOs and IMAs will improve their Information Management and Security skills through a programme of learning and development. Leadership Business Information Systems Directorate will provide the required leadership and expert knowledge to implement this Strategy. A key part of this will be to provide IA advice and guidance to the rest of the CPS to assist the implementation of activities. Reporting and direction will be via the Security and Information Management Group, chaired by the SIRO. With oversight of the DSO, the CPS IT Security Officer (ITSO) will lead on the provision of technical IA risk management guidance, standards of good practice, advice and assurance services across the CPS, fully supported by our ICT supplier partner. Reporting will be through the Head of Information Management Division to the Security and Information Management Group. Delivery Recognition of the importance of an effective governance structure to provide leadership on IA and appropriate mechanisms for the delivery of these objectives is at the heart of this Strategy. Within the CPS, a commitment at the top to provide clear leadership on this issue is vital to effecting the change required and ongoing maturity in IA. On behalf of the CPS Board, the IA Strategy is owned by the CPS SIMG, to ensure that a business approach to IA is taken across CPS. The SIMG will look to oversee delivery through the Information Assurance Programme Board (IAPB). The SIRO and the CIO work closely together to enable implementation of this Strategy, aligning the ICT Strategy to other appropriate strategies and policies. 12 Version 1.0

13 Where the approach to IA set by the SIMG has a direct bearing on closely related agendas, for example around protective security or counter-terrorism, the SIMG will ensure that the appropriate bodies are aware of and brought into the decision-making process, as required. In parallel, the governance structure will bring in wider elements of the organisation to ensure implementation of the Strategy in all appropriate areas of business activity. Implementation and Maintenance The delivery approach will develop the three strategic objectives of this Strategy into actions and activities to be implemented under the direction of the SIMG and IAPB. Wherever possible, these activities will build on or incorporate existing IA work and utilise existing mechanisms or channels for delivery. The delivery approach and IAPB will be guided by the mandatory requirements of the Security Policy Framework (SPF) and other best practice guidance. Jackie Ronchetti Head of Information Management 13 Version 1.0