This snapshot taken on 05/09/2007, shows web content selected for preservation by The National Archives. External links, forms and search boxes may not work in archived websites.
Achieving information assurance requires an effective and appropriate set of responsibilities.
ISO/IEC 17799 clearly identifies the importance of a central security function but one which is integrated with other central business functions so that managing IA becomes part of the process of managing the organisation.
Further advice for Central Government departments is given in the Manual of Protective Security (MPS) which for GSi-connecting departments can be obtained from the Security Matters website [Accessible only to GSI users within the Civil Service]. Further information is also available from that site and from CESG [External website]. For other bodies there may be an equivalent source, e.g. JSP 440 for the MoD or NHS IT standards, which acts as a mandatory security framework.
Advice on the implementation of information security in government can be obtained from CESG, COSPD, NSAC, the Centre for the Protection of National Infrastructure (CPNI) [External website], CSIA and CLAS consultants.
Compliance with ISO/IEC 17799, and sound governance generally require organisations to implement an IA management structure in which responsibilities and accountability are clearly defined and assigned.
Organisations may allocate more than one role to an individual, or may allocate more than one individual to a role. This is subject to the provisos that the responsibility for each necessary role is allocated, that the responsibilities in total are complete and clearly communicated, and that there are no conflicts of interest.
Sir Andrew Turnbull wrote to all Permanent Secretaries on 9th February 2004 (Appendix A) to make clear the importance of information risk management as a crucial component of the board level governance function. In particular, Permanent Secretaries were advised:
Each department’s mission statement and Security Policy statement should include an ISO/IEC 17799 compliance statement that management is committed to Information Assurance being embedded with the business process.
Introduction
The key roles for IA governance in Central Government are shown in the schematic diagram overleaf. The blue arrow indicates a flow of audit reporting information, the orange arrow represents a flow of business delegation. The key symbol represents an IA responsibility, the information symbol a reporting line.
An explanation of the roles at National level in the framework above can be found on the DirectGov website [External website], the Cabinet Office website and the No10 website [External website].
Cabinet Secretary
The Cabinet Secretary reports directly to the Prime Minister and is also Head of the Home Civil Service.
Permanent Secretary
Departmental Permanent Secretaries are accountable to the Cabinet Secretary for management of IA within individual departments.
Senior Information Risk Owner (SIRO)
The Cabinet Secretary requires Central Government departments to appoint a Board level Senior Information Risk Owner (SIRO), who accepts responsibility for ensuring that IS risk within the department is managed appropriately.
This appointment of an individual at Board level indicates clearly that ownership of risk lies not with the IT department nor the security department but at a strategic level within the organisation.
The SIRO is expected to understand how the strategic business goals of the organisation may be impacted by IS failures. While this role is supported by the Departmental Security Officer, IT Security Officer and Accreditor, nevertheless the ownership of risk remains with the SIRO. The SIRO is also responsible for collating information for inclusion in the CSIA annual report to the Prime Minister.
Business Unit Director
Within a business unit the Director is responsible for the programmes and projects under his or her remit, and liaises with the SIRO and with SRO’s to ensure that risk is being managed appropriately within each.
Senior Responsible Officer (SRO)
Responsibility for information risk is delegated from the Cabinet Secretary via the SIRO ultimately down to the Senior Responsible Officer (SRO) for a particular programme or project. The SRO is responsible for ensuring that a programme or project meets its objectives as agreed with the SIRO and Board level business owners.
The SRO understands the risks to the programme or project, and is aware of the overall residual risk and how this might impact the strategic goals of the programme. The SRO is responsible for ensuring that information risk assessment and management processes are carried out within the department, and provides advice to the SIRO on residual risk and areas of non-compliance.
Departmental Security Officer (DSO)
The DSO is responsible for the implementation and dissemination of IA policy and guidance and for incident reporting and investigation. In companies with List X sites the Security Controller fulfils a similar function.
IT Security Officer / Communications Security Officer
An IT Security Officer (ITSO), and/or Communications Security Officer (COMSO) or similar, may be appointed to assist the DSO/Security Controller in their responsibilities, specifically for IT and communications systems.
Accreditor
The role of the Accreditor is to act as an impartial assessor of the residual risk affecting a department’s IS, and to formally accredit those systems.
Within the List X community the accreditation of systems processing CONFIDENTIAL or above is the responsibility of the company’s Government Security Advisor; where the system is processing RESTRICTED or below under certain circumstances List X Notice 44 makes provision for the company’s Security Controller to carry out self-accreditation.
The Accreditor must ensure that IA risks are being managed appropriately. Accreditors assess the risk on behalf of the Senior Responsible Officer who accepts the residual risks based on his or her knowledge of the organisation’s business objectives. If the Accreditor advises that risks are too high, then the SRO must take the risk decision or escalate the issue to the SIRO for advice.
Although ownership of security functions may be distributed across an organisation, ownership of risk remains with the SIRO on behalf of senior management.
The guidance in this section reflects the approach adopted by Central Government departments, and is recommended as a model for adoption where there is not already an established scheme. In all cases it is recommended that:
The concept of accreditation is another key principle which, although expressed here in terms of Central Government, has wider applicability. An Accreditor will take account of the physical, technical, procedural, personnel etc. countermeasures applied to a system, and assess them in the context of the risk analysis and security objectives for the system, and will advise on the residual risk. If the residual risk is acceptable, the system is authorised for operation.
Although the residual risk remains with the system owner, Accreditor approval acts as an impartial assurance that the system meets its agreed security objectives.
Accreditation, in the form of formal approval to operate on the basis of an agreed risk analysis and corresponding countermeasures, provides cradle-to-grave oversight of IA issues which is an important aspect of organisational risk management. ISO/IEC 17799 recommends that there should be an authorisation process for new Information Systems, which although only a small part of the accreditation process, nevertheless indicates the wider applicability and importance of this role.