DFID defines Information Risk as that part of DFID's overall risk portfolio which relates to the Confidentiality, Integrity and Availability of information within the organisation, in electronic and paper forms. It is vital that we manage these risks well in order to minimise the potential impact on DFID's operations and reputation, and to protect any personal information which we look after on behalf of the public.
This is relevant whether data is in storage, processing, or transit and whether threatened by malice or accident.
The Management Board owns DFID's overall processes for managing risk. Information risk is managed in the same overall framework as other risks in DFID, but with specific ownership, accreditation and monitoring arrangements in place which employ best practice principles drawn from external and HMG standards.
DFID's policy for managing information risk and evaluating the effectiveness of the measures put in place is the responsibility of the Finance & Corporate Director-General who takes the role of Senior Information Risk Owner (SIRO). There is also a Deputy SIRO, the Head Of Business Solutions Department who can satnd in for the SIRO when required.
The SIRO is responsible for developing and implementing this policy and for reviewing it regularly to ensure that it remains appropriate to the business objectives and risk environment.
The SIRO also appoints an Information Security Management Group (ISMG) to advise on the overall management of information security and information risk. This is chaired by the Deputy SIRO.
DFID has adopted the International Standard ISO27001 to manage this process and as a mechanism for managing our information related risks. As part of this process, DFID is subject to periodic audit and inspection by external auditors who will assess compliance with the International Standard and identify non-conformities.
DFID holds a relatively small amount of personal data and a moderate amount of information which is classified at Restricted or above. On occasions, some of this data is shared with delivery partners, including commercial companies and other Government departments. Management and sharing of information must comply with the Data Protection Act and other legislation.
Threats to DFID's information come from a variety of sources inside and outside the organisation. These are assessed on a continuing basis by the IT Security Officer, taking advice from HMG sources as required.
The standard DFID "whistle-blowing" procedure may be used to report suspected breaches of information security.
Any data loss incidents must be reported in the DFID's Annual Report and in the notes to the Annual Accounts.
Staff are reminded that misconduct which leads to the compromise of DFID information will be taken seriously and can lead to disciplinary processes.
1. All Information Assets (electronic and paper) in DFID must be catalogued by Business Systems Division and an Information Asset Owner appointed within the relevant part of the DFID business
2. All systems and processes which share personal, sensitive data with delivery partners must be approved in advance with the relevant Information Asset Owner
3. The Information Asset Owner is accountable for ensuring that the risks of data sharing are assessed and appropriate mitigation steps taken. Advice must be sought from the Openness Unit, Knowledge Information and Management Team, on compliance with the Data Protection Act and other legislation
4. The Information Asset Owner must formally log all data transfers with delivery partners
5. Each Information Asset Owner must review their assets at least annually in line with HMG guidance and provide a summary to the SIRO
6. The IT Security Officer must maintain a log of information security incidents and report on recent incidents to each meeting of the ISMG
7. All methods used to hold or carry material classified at Restricted or higher must be documented with a Risk Management Accreditation Document Set. This classification of risk must be carried out by someone with experience and suitable qualifications in risk assessment, such as a Departmental Accreditor or a CLAS consultant
8. IS standards include methodology to assess risk levels. DFID must not accept risks which are assessed as Medium-High or above. Risks which are assessed as Medium must be referred to the SIRO for acceptance. Risks which fall below Medium are assessed and certified by the Department's IS Standards accreditor. Current risk levels are: Low, Low-Medium, Medium, Medium-High and High
9. All new IT systems, and all substantial upgrades to existing IT systems, are subject to a risk assessment in according to HMG Information Security standards before they are implemented
10. All new IT systems which hold personal data must be subject to a Privacy Impact Assessment (best practice) before implementation
11. If, following completion of a Privacy Impact Assessment, a full Risk Assessment is required, DFID's Security Officer must be consulted for advice and for access to certain documents and guidance that are classified and therefore only available through the Government Secure Intranet (GSI). These include:
12. All new staff or those transferred into posts where the handling of Personal Data is part of the job must complete the Protecting Information Level 1 E-Learning module. It is the responsibility of the line manager to ensure that this takes place.
Information security is covered in DFID Induction Training.
A programme of awareness training on information security is provided when needed by ISD and Security Section. This includes coverage of the corporate and individual consequences of failure to apply DFID's policies and procedures.
Bookmark with:
What are Bookmarks?