mandatory-roles.pdf
-
Upload
dominic-murphy -
Category
Documents
-
view
218 -
download
0
Transcript of mandatory-roles.pdf
-
8/14/2019 mandatory-roles.pdf
1/6
Guidance on Mandatory Roles (AO,SIRO, IAO)
March 2009
-
8/14/2019 mandatory-roles.pdf
2/6
MANDATORY ROLES: AO, SIRO AND IAO
NOT PROTECTIVELY MARKED
2
Guidance on Mandatory Roles (AO, SIRO, IAO)
Audience: This paper w il l be of particular in terest to Accounting Off icers (AO), SeniorInformation Risk Owners (SIRO) and Information Asset Owners (IAO). WhereDepartments are referred to below, it should be noted that this includes executiveagencies, non-departmental public bodies, and trading funds.
Timing: Immediate
Background
INFORMATION RISK ROLES
1. The minimum mandatory measures on information risk mention three roles that all Departmentsmust have in place the Accounting Officer (AO), the Senior Information Risk Owner (SIRO) and InformationAsset Owners (IAO). This document summarises what each involves, providing a ready check-list forindividuals playing those roles.
2. This document does not summarise other roles not made mandatory in the same way.
Contacts Enquiries about content should be directed to:
Crown Copyright March 2009
NOT PROTECTIVELY MARKED
-
8/14/2019 mandatory-roles.pdf
3/6
MANDATORY ROLES: AO, SIRO AND IAO
NOT PROTECTIVELY MARKED
3
Role Page
Accounting Officer 4
Senior Information Risk Owner 5
Information Asset Owner 6
NOT PROTECTIVELY MARKED
-
8/14/2019 mandatory-roles.pdf
4/6
MANDATORY ROLES: AO, SIRO AND IAO
NOT PROTECTIVELY MARKED
4
Accounting of fi cer
The Accounting Officer has overall responsibility for ensuring that information risks are assessed
and mitigated to an acceptable level. Information risks should be handled in a similar manner to
other major risks such as financial, legal and reputational risks.
Aspect o f role Support ing actions
Lead and foster a culturethat values, protects and
uses information for thepublic good
Have a SIRO who is skilled, focused on theissues, and supported
Review and encourage Departmental plan toachieve and monitor the right culture
Take visible steps to support and participate in thatplan (including completing own training)
Discuss information risk inthe delivery chain regularlywith the Board
Board discusses the quarterly risk assessmentsand annual forward look
Board agrees actions needed to respond to risksand ensures they are followed up
Board discusses breaches and near misses, tolearn lessons and share them with others
Cover information risk
explicitly in the statement oninternal control
Receive an annual assessment of information risk
performance from the SIRO, that draws onmaterial from information asset owners andspecialists
Test the material with the SIRO and others,including internal audit
Publish summary material in the annual report
Managing Information Risk - a guide for Accounting Officers, Board members and Senior
Information Risk Owners is currently available on CESGs GSi website on the following link
http://www.cesg.gsi.gov.uk/ia-policy-portfolio/title.shtml.
NOT PROTECTIVELY MARKED
-
8/14/2019 mandatory-roles.pdf
5/6
MANDATORY ROLES: AO, SIRO AND IAO
NOT PROTECTIVELY MARKED
5
Senior Information Risk Owner
The SIRO is an executive familiar with information risks and leads the Departments response. The
SIRO is the focus for the management of information risk at Board level.
Aspect o f role Support ing actions
Lead and foster a culturethat values, protects anduses information for the
public good
Ensures the Department has a plan to achieve andmonitor the right culture, across the Departmentsand its partners
Takes visible steps to support and participate inthat plan (including completing own training)
Ensures the Department has IAOs who are skilled,focussed on the issues, and supported, plus thespecialists that it needs
Own the overall informationrisk policy and riskassessment process, test itsoutcome, and ensure it isused
Ensures that risk policy is complete coveringhow the Department implements at least theminimum mandatory measures in own activity andthat of delivery partners, and how compliance willbe monitored
Ensures that risk assessment is completed at leastquarterly taking account of extant Government-
wide guidance (available from Cabinet Office) Based on the risk assessment, understands what
information risks there are to the Departmentthrough its delivery chain, and ensures that theyare addressed, and that they inform investmentdecisions
Ensures that risk assessment and actions takenbenefit from an adequate level of independentscrutiny
Advise the accountingofficer on the information
risk aspects of hisstatement on internalcontrol
Receives annual assessment of performance,including material from the IAOs and specialists,
covering minimum mandatory measures as well asactions planned for the Departments owncircumstances
Provide advice to Accounting Officer on theinformation risk parts of their statement on internalcontrol
Shares assessment and supporting material withCabinet Office, to support cross-Government workin this area
NOT PROTECTIVELY MARKED
-
8/14/2019 mandatory-roles.pdf
6/6
MANDATORY ROLES: AO, SIRO AND IAO
NOT PROTECTIVELY MARKED
6
Information Asset Owner
Information Asset Owners are senior individuals involved in running the relevant business. Their
role is to understand what information is held, what is added and what is removed, how information
is moved, and who has access and why. As a result they are able to understand and address risks
to the information, and ensure that information is fully used within the law for the public good, and
provide written input to the SIRO annually on the security and use of their asset.
Aspect o f role Support ing actions
Lead and foster a culturethat values, protects anduses information for thepublic good
Understands the Departments plans to achieveand monitor the right culture, across theDepartment and its partners
Takes visible steps to support and participate inthat plan (including completing own training)
Knows what information theasset holds, and whatenters and leaves it andwhy
Keeps understanding of the asset and how it isused up to date
Approves and minimises transfers while achievingthe business purpose
Approves arrangements so that information put
onto removable media like discs or laptops isminimised and protected
Approves the disposal mechanisms for paper orelectronic records from my asset
Knows who has access andwhy, and ensures their useof it is monitored
Understands the organisations policy on use ofthe information
Checks that access provided is the minimumnecessary to achieve the business purpose
Receives records of checks on use and assuresself that they are being conducted
Understands and addressesrisks to the asset, and
provides assurance to theSIRO
Contributes to the Departments risk assessment
Makes the case where necessary for new
investment to secure my asset Provides an annual written assessment to the
SIRO about my asset
Ensures the asset is fullyused for the public good,including responding torequests for access fromothers
Considers whether better use of the informationcould be made
Receives and logs access requests from others
Ensures decisions on access are takenaccordingly
NOT PROTECTIVELY MARKED