Guideline for Roles & Responsibilities in Information Asset Management



Similar documents
Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.

NSW Government Digital Information Security Policy

University of Sunderland Business Assurance Information Security Policy

RECORDS MANAGEMENT POLICY

Guidelines for Best Practices in Data Management Roles and Responsibilities

NSW Government Digital Information Security Policy

Information Governance Strategy & Policy

Data Governance Policy. Version October 2015

Highland Council Information Security Policy

Information & ICT Security Policy Framework

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Program CHARTER

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Ealing Council Corporate Information and Data Security Policy

Information and records management. Purpose. Scope. Policy

ISO Controls and Objectives

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Data Governance Policy. Staff Only Students Only Staff and Students. Vice-Chancellor

How To Protect School Data From Harm

Information Management Responsibilities and Accountability GUIDANCE September 2013 Version 1

Information and Compliance Management Information Management Policy

Financial Services Guidance Note Outsourcing

Ulster University Standard Cover Sheet

Document Management in the FIPPA Era

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Information Security Policies. Version 6.1

IT Charter and IT Governance Framework

Information Governance Policy A council-wide information management policy. Version 1.0 June 2013

Information Security Program

IT Data Security Policy

ISO27001 Controls and Objectives

ADMINISTRATIVE POLICY # (2014) Information Security Roles and Responsibilities

University of Liverpool

Tasmanian Government Information Security Framework

Information Governance Framework

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Information security controls. Briefing for clients on Experian information security controls

OPERATIONAL DIRECTIVE. Data Stewardship and Custodianship Policy. Superseded By:

Bring Your Own Device (BYOD) Policy

Policy (Board Approved)

Information Management and Security Policy

Information security policy

Corporate Information Security Policy

IT Security Management

Document and Record Control Procedures

Security Awareness and Training

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

3. Ensure the management of information is compliant with legislative requirements to maximise the benefits and minimise risks;

Information Governance Policy

Service Children s Education

ISMS Implementation Guide

Outline of a Research Data Management Policy for Australian Universities / Institutions

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

Newcastle University Information Security Procedures Version 3

Draft Information Technology Policy

Risk Management Policy and Framework

NHS Business Services Authority Information Security Policy

INFORMATION SECURITY MANAGEMENT POLICY

Stellenbosch University. Information Security Regulations

EA-ISP-001 Information Security Policy

INFORMATION TECHNOLOGY SECURITY STANDARDS

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

Information Integrity & Data Management

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

Information Governance Strategy. Version No 2.0

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

Information Governance Policy

INTERNATIONAL SOS. Information Security Policy. Version 1.02

Security Controls What Works. Southside Virginia Community College: Security Awareness

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

ELECTRONIC INFORMATION SECURITY A.R.

Information Security Policy

Corporate Information Security Management Policy

The Information Security Management System According ISO The Value for Services

Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience

Information Security Policy

Information Governance Policy (incorporating IM&T Security)

Rotherham CCG Network Security Policy V2.0

How To Protect Your Computer System From Being Hacked

Scotland s Commissioner for Children and Young People Records Management Policy

Information Governance Policy

This procedure is associated with BCIT policy 6700, Freedom of Information and Protection of Privacy.

Mobile Security Standard

NSW Government. Cloud Services Policy and Guidelines

Records and Document Management

Personal Health Information Privacy Policy

How To Protect Decd Information From Harm

University of Aberdeen Information Security Policy

Transcription:

ISO 27001 Implementer s Forum Guideline for Roles & Responsibilities in Information Asset Management Document ID ISMS/GL/ 003 Classification Internal Use Only Version Number Initial Owner Issue Date 07-08-2009 Approved By This work is copyright 2009, Mohan Kamat and ISO27k implementers' forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k implementers' forum www.iso27001security.com), and (c) derivative works are shared under the same terms as this.).

Title Roles in Information Asset Management Document ID ISMS/GL/003 Date 07-08-2009 Status Initial Prepared By: Mohan Kamat 07-08-2009 Reviewed By: Reviewed By: Approved By: Approved By: Distribution List Apex Committee ISMS Forum All Department / Function Heads To approve and authorize To review and update To understand and comply Amendment History Version No Page No Details of Amendment Amendment Date Approved By

1. Overview All information assets shall be managed at organization level. The ownership of the information assets shall reside with the organization and individuals shall be assigned and made responsible and accountable for the information assets. Specific Individuals shall be assigned with the ownership / custodianship / operational usage and support rights of the information assets. 2. Information Asset Management Roles Statutory Legislations Statutory Regulations Organizational Regulations Organizational Policies Contractual rights & obligations Director Information Management Information Security Officer Organization Level Legal Ownership Delegated Ownership Chief Executive Officer Management Custodianship Chief Information Officer Information Asset Custodian Information Security Governance Apex Committee MR Change Advisory Board Damage assessment Team ISM Forum Task Force Incident Response Team Audit Committee Data Operators / End Users 3. Information Asset Management Responsibilities 1. Legal Owner The top management shall be legal owner of information asset. No individual can claim IP rights of an Information asset, unless and otherwise specifically agreed and approved by the management in contractual agreement. 2. Delegated Ownership The CEO shall have authority to represent the organization for the protection and security of the information asset as ownership of Information assets is delegated to this organizational role. CEO shall approve the Information Management / Security Policy. The CEO may delegate full / partial ownership along with the defined responsibilities to any officer / contractor / third party with operational rights and responsibility. ISO 27001 Implementer s Forum 2009 Internal Use Only Page 3

The responsibilities of the Asset owner are as follows: Updating of information asset inventory register; Identifying the classification level of information asset; Defining and implementing appropriate safeguards to ensure the confidentiality, integrity, and availability of the information asset; Assessing and monitoring safeguards to ensure their compliance and report situations of non-compliance; Authorizing access to those who have a business need for the information, and Ensuring access is removed from those who no longer have a business need for the information. 3. Director Information Management The Director, Information Management ensures that the information resources of organization are managed as a corporate asset and assists in establishing the strategic direction of information management for the organization. They provide support and leadership to officers and other directors responsible for managing information resources on a day-to-day basis. The Director, Information Management shall provide specialist advice relating to information management practices contribute to the strategic direction of information management within the organization co-ordinate the development and implementation of information management practices including policies, standards, guidelines and procedures assist business units to define and understand their responsibilities in relation to information management assist business units to identify their information needs and requirements Work with the Chief Information Officer to plan and implement systems to effectively manage the agency s information assets. 4. Chief Information Officer The CIO ensures that strategic planning processes are undertaken so that information requirements and supporting systems and infrastructure are aligned to legislative requirements and strategic goals. The CIO ensures that information security policies and governance practices are established to ensure the quality and integrity of the agency s information resources and supporting IT systems. They oversee the development of tools, systems and information technology infrastructure to maximise the access and use of an agency s information resources. The Chief Information Officer is responsible for: interpreting the business and information needs and wants of the organization and translating them into ICT initiatives setting the strategic direction for information and communications technology and information management ensuring that ICT and information management investment is aligned to the strategic goals of the organization ensuring that projects and initiatives are aligned and coordinated to deliver the best value ensuring ICT planning is integrated into business planning identifying opportunities for information sharing and cross collaboration on projects and initiatives. 5. Information Security Officer The information security officer is responsible for developing and implementing information security policy designed to protect information and any supporting ISO 27001 Implementer s Forum 2009 Internal Use Only Page 4

information systems from any unauthorised access, use, disclosure, corruption or destruction. The information security officer shall: Develop policies, procedures and standards to ensure the security, confidentiality and privacy of information that is consistent with organizational Information security policy Monitor and report on any information intrusion incidents and activate strategies to prevent further incidents. Work with information custodians to ensure that information assets have been assigned appropriate security classifications. Maintenance and upkeep of the asset as defined by the asset owner System Restart and recovery Implementing any changes as per the change management procedure Backup of the information Updating of information asset inventory register; Identifying the classification level of information asset; Defining and implementing appropriate safeguards to ensure the confidentiality, integrity, and availability of the information asset; Assessing and monitoring safeguards to ensure their compliance and report situations of non-compliance; Authorizing access to those who have a business need for the information, and Ensuring access is removed from those who no longer have a business need for the information. 6. Data Operators / End Users Employees, Third Parties, Contractors authorized by the Owner / custodian to access information and use the safeguards established by the Owner / custodian. Being granted access to information does not imply or confer authority to grant other users access to that information. The users are bound by the acceptable usage policy of the organization. ISO 27001 Implementer s Forum 2009 Internal Use Only Page 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information