This snapshot, taken on 05/09/2007, shows web content selected for preservation by The National Archives. External links, forms and search boxes may not work in archived websites.
This document is concerned with the management of information risks in government departments in order to provide Information Assurance (IA). It sets out a framework for achieving stakeholder confidence through the process of IA governance.
Information Assurance is the confidence that information systems will protect the information they handle and will function as they need to, when they need to, under the control of legitimate users.
Information Assurance is achieved through stakeholder confidence that information risks are managed appropriately. This framework is concerned with precisely the process of achieving stakeholder confidence; the process of IA Governance.
While the framework is aimed at Central Government at present, it is intended for use in time by the wider public sector.
The objectives of the framework are to:
The framework explains the processes of IA governance, and provides guidance on implementation, through references to applicable standards and statements of best practice.
To be effective, information risk management must be seen as an essential business function and not just a technical issue, with responsibility for IA owned at the very highest level. The principles of governance in this area stem primarily from the international standard for Information Security Management, ISO/IEC 17799.
To be effective, IA in service based procurements must be founded on a security management plan which identifies both the route to a secure position, and the processes which will maintain it.
A project fails if it does not meet its IA objectives, since the information delivered by the service and upon which the business relies may not be adequately protected. The framework provides supporting practical guidance specifically for service based procurements, where the design details of Information Systems (IS) to provide a service only become known following the bidding phase.
The framework provides an explanation of commonly used security schemes and standards, and shows their inter-relationships. References are provided for additional sources of information and guidance (see also Glossary).
The framework is concerned with the management of risk, including operational risk, and the controls used to manage it.
Understanding the risks to the information assets that support the organisation’s business is essential if those risks are to be managed effectively, efficiently and economically. There must be continual monitoring of the threats and vulnerabilities applicable to the organisation’s business, and of the effectiveness of the implemented controls, if ongoing IA is to be achieved.
It is essential that control is maintained over the configuration of an organisation’s information systems, to ensure that all changes are properly authorised and effectively implemented, and that security vulnerabilities are monitored and managed.
Without ongoing monitoring processes, organisations cannot be confident that their IA measures remain appropriate. The timely analysis of audit records, and the incorporation of lessons learned following an incident, provide crucial feedback to the IA process.
Because no process can be 100% effective, security incidents must be anticipated and a plan drawn up for their management and for their use as a valuable input to the risk assessment and management activities. Incident management must include elements of: preparation for incidents; pre-emptive actions; and ongoing actions which ensure that incidents are reported as and when they occur, so that the response can be as rapid as possible.
The three key tenets of Information Assurance are Confidentiality, Integrity and Availability. All three must be addressed in relation to the needs of the organisation, if IA is to be achieved. Business Continuity is a specific area of IA relating to the maintenance of service and information availability.
The governance and best practice guidance set out in the framework is based on the principles of the Infosec Training Paths and Competencies Scheme. The scheme has been developed for information security professionals who manage protectively marked information in departments and their Agencies, their accredited contractors and public sector bodies such as police forces.
UK government departments are required to demonstrate compliance with ISO/IEC 17799 for all their nominated key information systems, in terms of compliance with legal and regulatory requirements, and in terms of compliance with stated and agreed business security policy.