Information Assurance and Accreditation Policy, word file, 247KB
E047
Information Assurance and Accreditation Policy
(Policy Reference: NRS013)
March 2013
NRS
This Document was
Prepared by:
Reviewed by:
Information Assurance and Accreditation Policy
Head of IA / IS August 2012
IS Manager and IS Deputy
Manager
August 2012
Authorised by: Head of IA / IS March 2013
Document Distribution
All members of staff in the National Records of Scotland (NRS).
Amendment Suggestion
If you have suggested amendments please contact the NRS Information Security Team.
Status Control
Versio n
Date
0.2 Aug 2012
Status
Draft
Prepared by
Head of IA
Reason for Amendment
1.0 March 2013 Final Head of IA Formal release
Version: 1.0
Location: Security/Policies
Page 2 of 8 Last saved date: 2013-03-18
NRS Information Assurance and Accreditation Policy
Table of Contents
Version: 1.0
Location: Security/Policies
Page 3 of 8 Last saved date: 2013-03-18
NRS Information Assurance and Accreditation Policy
1. Introduction
1.1 NRS and its antecedents have long been responsible for the custody of sensitive personal data (e.g. Census records, records of adoptions, health records, court records, etc) and have had to give proper consideration to the security and integrity of this information.
Keeping the information we hold secure is fundamental to the successful operation of the
Department.
1.2 NRS has an excellent reputation in maintaining the confidentiality, integrity and availability of the information it collects and retains. It is important for the Department to maintain its reputation and the following policies and procedures have been put in place to ensure the security of its information.
1.3 Although some of the information available from NRS is itself in the public domain, we still have a further duty of care when the volumes of information held are such that the risk assessment for the quantity of data is perceived to be increased.
2. Policy Objective
2.1 This document outlines the policy and commitments that the National Records of
Scotland (NRS) is adopting on Information Assurance (IA) and Accreditation.
2.2 The policy statement aims to preserve:
the confidentiality of information by ensuring it is only available to those who are authorised to access it;
the integrity of information by safeguarding the accuracy and completeness of information; and,
the availability of information by ensuring that users have access to information and information systems as and when required.
2.3 The policy also intends to ensure compliance with the HMG Security Policy Framework
(SPF), 1 and the HMG suite of IA Standards and Good Practice Guides (GPG). In particular GPG
19, Managing Accreditation
– Governance, Structure and Culture; GPG 30 Assurance of ICT
Systems and Services and GPG 47 Information Risk Management.
2.4 What is information assurance?
2.4.1 Information assurance is defined in HMG IA Standard Numbers 1 and 2 – Information
Risk Management [Issue 4.0 April 2012 ] as “the confidence that information systems (and services) will protect the information they handle and will function as they need to, when they need to, under the control of legitimate users.”
2.5 Why is information assurance important?
1 See https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/62330/HMG_20Security_20Po licy_20Framework_20-_20v8_200_20-_20April_202012.pdf
for HMG Security Policy Framework
Version: 1.0
Location: Security/Policies
Page 4 of 8 Last saved date: 2013-03-18
NRS Information Assurance and Accreditation Policy
2.5.1 NRS data and documents are critical assets for the development of Government policy and for allocation and targeting of resources.
2.5.2 NRS must have confidence that data/documents collected, stored, processed, analysed and output is fit for purpose and meets user needs. For example, it must also meet the public undertakings that NRS have given in respect of Census data which will be kept in the strictest confidence and will be used solely for the production of statistics.
3. Responsibilities
3.1 All Branch Heads are directly responsible for implementing this policy within their business areas. Furthermore it is the responsibility of each NRS employee to adhere to this policy.
4. Information Classification
4.1 The Government Protective Marking System (GPMS) is the system used by the UK
Government and the UK devolved administrations to ensure that access to information and other assets is correctly managed and safeguarded. The system is designed to support business and meet the requirements of relevant legislation, international standards and international agreements.
4.2 While NRS makes every effort to classify data, it is not always possible. For example, the sheer scale and complexity of the UK Censuses make it difficult to apply a single protective marking for all Census information about individuals and households. However, NRS recognise that the standards and procedures appropriate for RESTRICTED level operations provide a suitable baseline for security solutions required to manage Census information.
5. Information Risk Management
5.1 Risk management is an iterative process that is carried out throughout the lifecycle of
NRS datasets. NRS adopt a risk management approach to cover all areas of protective security 2 . The assessment of risk is carried out using HMG standards and the outcome is documented in a Risk Management Accreditation Document Set (RMADS).
5.2 The level of impact likely to result from any compromise of confidentiality, integrity and availability of information is assessed using Business Impact Level (BIL) tables in HMG IA
Standard Numbers 1 and 2 Supplement – Technical Risk Assessment and Risk Treatment (also known as IS1 and 2). The tables use a seven point scale to enable NRS to make a balanced assessment of the countermeasures needed to meet requirements.
5.3 The BIL tables A4 (Public Services) and A6 (Public/Citizen) most closely relate to the business of NRS. The maximum BIL for any NRS dataset is 4.
2 Physical, personnel, procedural and information security.
Version: 1.0
Location: Security/Policies
Page 5 of 8 Last saved date: 2013-03-18
NRS Information Assurance and Accreditation Policy
5.4 NRS has set an overall level of risk that they are prepared to tolerate to achieve their business aims.
5.5 NRS is a risk minimalist and risk cautious department and is only prepared to tolerate a
LOW level of risk in all areas of the business.
5.6 Information systems that hold protectively marked information about individuals must go through a formal accreditation process to ensure compliance with HMG IS1 and 2.
6. Governance
6.1 NRS has established governance arrangements to manage information assurance. NRS has a Senior Information Risk Owner (SIRO) who is responsible for information risks. The SIRO ensures that appropriate arrangements are in place for the effective delivery of information assurance. The SIRO is supported by other roles including an Accreditor, Information Asset
Owners and the Departmental Security Officer.
6.2 NRS has an established Census Security Assurance Working Group (CSAG). While this group was originally set-up to concentrate on Census issues, it began to cover other areas of
NRS. With the expanding remit, it was decided to start a new Security Assurance Group in the spring of 2013.
6.3 The governance arrangements and the main roles in NRS are shown in Figure 1 below.
Figure 1
Senior Information Risk
Owner
Departmental Security
Officer
Accreditor Information Asset Owner
Day to day responsibility for all aspects of protective security
Responsible for ensuring that the accreditation process for business systems meets HMG IA
Manages information asset and controls access and handling of information asset standards
7. Accreditation
7.1 The formal assessment of an information system against its Information Assurance requirements is called Accreditation. This assessment may result in the acceptance of risks that
Version: 1.0
Location: Security/Policies
Page 6 of 8 Last saved date: 2013-03-18
NRS Information Assurance and Accreditation Policy cannot be mitigated (called residual risks) without adversely impacting the business itself. It is government policy that if a system contains protectively marked information, or is part of the
Critical National Infrastructure (CNI) it should be subject to a proportionate approach to
Accreditation.
7.2 NRS’ proportionate approach to accreditation will take into account a number of factors but will include; the scale or nature of a business activity, the risks associated with the project, the system or service specifics such as technical risks and development methodologies and change.
7.3 Any business activity involves risk, to the organisation, to other business activities, to clients, customers and partners. Some of these risks are security related, in that they involve threats to the confidentiality, security, integrity and availability of its information and business processes, or to the ability of the organisation to monitor its own activities and comply with the law. Accreditation is the process whereby these risks are assessed, and cost-effective countermeasures are determined and put in place. It includes the point at which the residual risks are formally accepted on behalf of the organisation.
7.4 Accreditation is fundamental to the assurance and delivery of any ‘trusted’ system or service that underpins government business. It is a continuous process, throughout and beyond the life of the delivery project.
7.5 All NRS systems that hold protectively marked information are subject to the
Accreditation process and documentation is produced to support the formal assessment as stated in Section 3 above. To assist with this NRS will use the principles of a “segmented model” as illustrated by the Segmentation Model in the Supplement to IS1 and 2. Any variations on this must be endorsed by the Accreditor.
7.6 As indicated in paragraph 5.4, NRS accredit all new systems however, NRS adopt a pragmatic and proportionate approach to using existing information risk management processes for any legacy systems or services.
7.7 Accreditation scope will always be defined the output document, RMADS, however accreditation will be carried out in a number of ways and further details are listed in section 9 below.
8. Re-accreditation
8.1 The accreditation function continues through the life cycle of a system and service and
NRS follow the HMG guidance that a review of findings of all technical risk assessments is carried out at least annually.
8.2 NRS will also review the accreditation status when there is a some type of major change or external environment factor. These will include instances such as, a significant change to a system, there is a significant change to any risk component (e.g. threat vulnerability, impact etc.) or a major security incident occurs.
Version: 1.0
Location: Security/Policies
Page 7 of 8 Last saved date: 2013-03-18
NRS Information Assurance and Accreditation Policy
9. Process
9.1 The accreditor will use several ways to carry out the accreditation process.
9.2 These will include the following:-
Regular meetings with the Information Security Manager
Regular meeting with the Senior Information Risk Owner
Meetings with specific Business Area leads
Scrutiny of Audit Reports including IT Health Checks
Scrutiny of RMADS
Scrutiny of Risk Assessment Process
Scrutiny of the RAID log which includes the Risk Register
Participation in the Security Assurance Group meetings
Usage of the HMG IAMM and GPG 19 Accreditation Service
Early involvement from the outset of all ICT projects
10. Accreditation Maintenance
10.1 All RMADS will be classed as working documents and will be updated accordingly when any major changes occur.
10.2 Accreditation will be subject to a care and maintenance aspect where for example any significant changes to the design / use of a system will be brought to the attention of the SAG by
Business Project Lead. With this in mind, a Care and Maintenance item will become a standing item on SAG agendas.
11. Reporting
11.1 The accreditor will report to the SAG at each meeting and provide written reports where required.
12. Escalation
12.1 The accreditor will raise issues as necessary at the SAG, which is chaired by the SIRO. If required, the accreditor will recommend further escalation to the Accounting Officer where required which can be done through the NRS Senior Management Team (SMT) meetings.
13. Dated
13.1 Formally released March 2013.
14. Policy Review
14.1 This policy will be subject to review on an annual basis.
Version: 1.0
Location: Security/Policies
Page 8 of 8 Last saved date: 2013-03-18
