Guidance on Mandatory Roles (AO, SIRO, IAO)

March 2009

2 MANDATORY ROLES: AO, SIRO AND IAO

NOT PROTECTIVELY MARKED

Guidance on Mandatory Roles (AO, SIRO, IAO)

Audience: This paper will be of particular interest to Accounting Officers (AO), Senior Information Risk Owners (SIRO) and Information Asset Owners (IAO). Where Departments are referred to below, it should be noted that this includes executive agencies, non-departmental public bodies, and trading funds.

Timing:

Immediate

Background

INFORMATION RISK ROLES

1. The minimum mandatory measures on information risk mention three roles that all Departments must have in place the Accounting Officer (AO), the Senior Information Risk Owner (SIRO) and Information Asset Owners (IAO). This document summarises what each involves, providing a ready check-list for individuals playing those roles. 2. This document does not summarise other roles not made mandatory in the same way.

Contacts

Enquiries about content should be directed to: datareviewteam@cabinet-office.x.gsi.gov.uk

Crown Copyright March 2009

NOT PROTECTIVELY MARKED

3 MANDATORY ROLES: AO, SIRO AND IAO

NOT PROTECTIVELY MARKED

Role Accounting Officer Senior Information Risk Owner Information Asset Owner

Page 4 5 6

NOT PROTECTIVELY MARKED

4 MANDATORY ROLES: AO, SIRO AND IAO

NOT PROTECTIVELY MARKED

Accounting officer
The Accounting Officer has overall responsibility for ensuring that information risks are assessed and mitigated to an acceptable level. Information risks should be handled in a similar manner to other major risks such as financial, legal and reputational risks. Aspect of role Lead and foster a culture that values, protects and uses information for the public good Supporting actions Discuss information risk in the delivery chain regularly with the Board Cover information risk explicitly in the statement on internal control Have a SIRO who is skilled, focused on the issues, and supported Review and encourage Departmental plan to achieve and monitor the right culture Take visible steps to support and participate in that plan (including completing own training) Board discusses the quarterly risk assessments and annual forward look Board agrees actions needed to respond to risks and ensures they are followed up Board discusses breaches and near misses, to learn lessons and share them with others Receive an annual assessment of information risk performance from the SIRO, that draws on material from information asset owners and specialists Test the material with the SIRO and others, including internal audit Publish summary material in the annual report

Managing Information Risk - a guide for Accounting Officers, Board members and Senior Information Risk Owners is currently available on CESGs GSi website on the following link http://www.cesg.gsi.gov.uk/ia-policy-portfolio/title.shtml.

NOT PROTECTIVELY MARKED

5 MANDATORY ROLES: AO, SIRO AND IAO

NOT PROTECTIVELY MARKED

Senior Information Risk Owner

The SIRO is an executive familiar with information risks and leads the Departments response. The SIRO is the focus for the management of information risk at Board level. Aspect of role Lead and foster a culture that values, protects and uses information for the public good Supporting actions Ensures the Department has a plan to achieve and monitor the right culture, across the Departments and its partners Takes visible steps to support and participate in that plan (including completing own training) Ensures the Department has IAOs who are skilled, focussed on the issues, and supported, plus the specialists that it needs Ensures that risk policy is complete covering how the Department implements at least the minimum mandatory measures in own activity and that of delivery partners, and how compliance will be monitored Ensures that risk assessment is completed at least quarterly taking account of extant Governmentwide guidance (available from Cabinet Office) Based on the risk assessment, understands what information risks there are to the Department through its delivery chain, and ensures that they are addressed, and that they inform investment decisions Ensures that risk assessment and actions taken benefit from an adequate level of independent scrutiny Receives annual assessment of performance, including material from the IAOs and specialists, covering minimum mandatory measures as well as actions planned for the Departments own circumstances Provide advice to Accounting Officer on the information risk parts of their statement on internal control Shares assessment and supporting material with Cabinet Office, to support cross-Government work in this area

Own the overall information risk policy and risk assessment process, test its outcome, and ensure it is used

Advise the accounting officer on the information risk aspects of his statement on internal control

NOT PROTECTIVELY MARKED

6 MANDATORY ROLES: AO, SIRO AND IAO

NOT PROTECTIVELY MARKED

Information Asset Owner

Information Asset Owners are senior individuals involved in running the relevant business. Their role is to understand what information is held, what is added and what is removed, how information is moved, and who has access and why. As a result they are able to understand and address risks to the information, and ensure that information is fully used within the law for the public good, and provide written input to the SIRO annually on the security and use of their asset. Aspect of role Lead and foster a culture that values, protects and uses information for the public good Knows what information the asset holds, and what enters and leaves it and why Supporting actions Knows who has access and why, and ensures their use of it is monitored Understands and addresses risks to the asset, and provides assurance to the SIRO Ensures the asset is fully used for the public good, including responding to requests for access from others Understands the Departments plans to achieve and monitor the right culture, across the Department and its partners Takes visible steps to support and participate in that plan (including completing own training) Keeps understanding of the asset and how it is used up to date Approves and minimises transfers while achieving the business purpose Approves arrangements so that information put onto removable media like discs or laptops is minimised and protected Approves the disposal mechanisms for paper or electronic records from my asset Understands the organisations policy on use of the information Checks that access provided is the minimum necessary to achieve the business purpose Receives records of checks on use and assures self that they are being conducted Contributes to the Departments risk assessment Makes the case where necessary for new investment to secure my asset Provides an annual written assessment to the SIRO about my asset Considers whether better use of the information could be made Receives and logs access requests from others Ensures decisions on access are taken accordingly

NOT PROTECTIVELY MARKED