mandatory-roles.pdf

8/14/2019 mandatory-roles.pdf

1/6

Guidance on Mandatory Roles (AO,SIRO, IAO)

March 2009


2/6

MANDATORY ROLES: AO, SIRO AND IAO

NOT PROTECTIVELY MARKED

2

Guidance on Mandatory Roles (AO, SIRO, IAO)

Audience: This paper w il l be of particular in terest to Accounting Off icers (AO), SeniorInformation Risk Owners (SIRO) and Information Asset Owners (IAO). WhereDepartments are referred to below, it should be noted that this includes executiveagencies, non-departmental public bodies, and trading funds.

Timing: Immediate

Background

INFORMATION RISK ROLES

1. The minimum mandatory measures on information risk mention three roles that all Departmentsmust have in place the Accounting Officer (AO), the Senior Information Risk Owner (SIRO) and InformationAsset Owners (IAO). This document summarises what each involves, providing a ready check-list forindividuals playing those roles.

2. This document does not summarise other roles not made mandatory in the same way.

Contacts Enquiries about content should be directed to:

[email protected]

Crown Copyright March 2009



3/6



3

Role Page

Accounting Officer 4

Senior Information Risk Owner 5

Information Asset Owner 6



4/6



4

Accounting of fi cer

The Accounting Officer has overall responsibility for ensuring that information risks are assessed

and mitigated to an acceptable level. Information risks should be handled in a similar manner to

other major risks such as financial, legal and reputational risks.

Aspect o f role Support ing actions

Lead and foster a culturethat values, protects and

uses information for thepublic good

Have a SIRO who is skilled, focused on theissues, and supported

Review and encourage Departmental plan toachieve and monitor the right culture

Take visible steps to support and participate in thatplan (including completing own training)

Discuss information risk inthe delivery chain regularlywith the Board

Board discusses the quarterly risk assessmentsand annual forward look

Board agrees actions needed to respond to risksand ensures they are followed up

Board discusses breaches and near misses, tolearn lessons and share them with others

Cover information risk

explicitly in the statement oninternal control

Receive an annual assessment of information risk

performance from the SIRO, that draws onmaterial from information asset owners andspecialists

Test the material with the SIRO and others,including internal audit

Publish summary material in the annual report

Managing Information Risk - a guide for Accounting Officers, Board members and Senior

Information Risk Owners is currently available on CESGs GSi website on the following link

http://www.cesg.gsi.gov.uk/ia-policy-portfolio/title.shtml.



5/6



5

Senior Information Risk Owner

The SIRO is an executive familiar with information risks and leads the Departments response. The

SIRO is the focus for the management of information risk at Board level.


Lead and foster a culturethat values, protects anduses information for the

public good

Ensures the Department has a plan to achieve andmonitor the right culture, across the Departmentsand its partners

Takes visible steps to support and participate inthat plan (including completing own training)

Ensures the Department has IAOs who are skilled,focussed on the issues, and supported, plus thespecialists that it needs

Own the overall informationrisk policy and riskassessment process, test itsoutcome, and ensure it isused

Ensures that risk policy is complete coveringhow the Department implements at least theminimum mandatory measures in own activity andthat of delivery partners, and how compliance willbe monitored

Ensures that risk assessment is completed at leastquarterly taking account of extant Government-

wide guidance (available from Cabinet Office) Based on the risk assessment, understands what

information risks there are to the Departmentthrough its delivery chain, and ensures that theyare addressed, and that they inform investmentdecisions

Ensures that risk assessment and actions takenbenefit from an adequate level of independentscrutiny

Advise the accountingofficer on the information

risk aspects of hisstatement on internalcontrol

Receives annual assessment of performance,including material from the IAOs and specialists,

covering minimum mandatory measures as well asactions planned for the Departments owncircumstances

Provide advice to Accounting Officer on theinformation risk parts of their statement on internalcontrol

Shares assessment and supporting material withCabinet Office, to support cross-Government workin this area



6/6



6

Information Asset Owner

Information Asset Owners are senior individuals involved in running the relevant business. Their

role is to understand what information is held, what is added and what is removed, how information

is moved, and who has access and why. As a result they are able to understand and address risks

to the information, and ensure that information is fully used within the law for the public good, and

provide written input to the SIRO annually on the security and use of their asset.


Lead and foster a culturethat values, protects anduses information for thepublic good

Understands the Departments plans to achieveand monitor the right culture, across theDepartment and its partners

Takes visible steps to support and participate inthat plan (including completing own training)

Knows what information theasset holds, and whatenters and leaves it andwhy

Keeps understanding of the asset and how it isused up to date

Approves and minimises transfers while achievingthe business purpose

Approves arrangements so that information put

onto removable media like discs or laptops isminimised and protected

Approves the disposal mechanisms for paper orelectronic records from my asset

Knows who has access andwhy, and ensures their useof it is monitored

Understands the organisations policy on use ofthe information

Checks that access provided is the minimumnecessary to achieve the business purpose

Receives records of checks on use and assuresself that they are being conducted

Understands and addressesrisks to the asset, and

provides assurance to theSIRO

Contributes to the Departments risk assessment

Makes the case where necessary for new

investment to secure my asset Provides an annual written assessment to the

SIRO about my asset

Ensures the asset is fullyused for the public good,including responding torequests for access fromothers

Considers whether better use of the informationcould be made

Receives and logs access requests from others

Ensures decisions on access are takenaccordingly


mandatory-roles.pdf

Documents

Transcript of mandatory-roles.pdf