UNCLASSIFIED
Information Risk Management Policy
This instruction applies to :-
Reference
NOMS Agency staff (Headquarters)
Prisons
AI 04/2012
PSI 16/2012
Issue Date
Expiry Date
Effective Date
Implementation Date
03 May 2012
15 May 2012
Issued on the authority of
For action by
For information
Contact
Associated documents
02 May 2016
NOMS Agency Board
All Governors/Directors of Contracted prisons and Heads of
Groups. In this document Governor also applies to Directors
of Contracted Prisons
All information asset owners, information asset custodians,
senior managers, delivery partners and third party suppliers
Clare Lewis, Information, Assurance and Policy Team.
Clare.lewis@hmps.gsi.gov.uk
0300 047 6258
PSO 9010 – IT Security
PSO 9015 – Information Assurance
PSO 9025 - Archiving Retention and Disposal
Replaces the following documents which are hereby cancelledNone
Audit/monitoring :
Compliance with this instruction will be monitored by Audit and Corporate Assurance.
Introduces amendments to the following documents:
None
UNCLASSIFIED
UNCLASSIFIED
PAGE 1
CONTENTS
Section
1
Subject
Executive Summary
2
Information Risk Management
3
4
Compiling and Maintaining an Information
Risk Register
Business Continuity Planning
5
Physical and Personnel Security
6
Delivery Partners and Third Party
Suppliers
Annex A
Roles and Responsibilities
Annex B
Annex C
Information Assurance Risk Management
Process
Reviewing the Information Risk Register
Annex D
Information Risk Register - Example
PSI 16/2012 – AI 04/2012
UNCLASSIFIED
Applies to
Governors, Head’s of Groups,
Information Asset Owners,
Information Asset Custodians
Governors, Head’s of Groups,
Information Asset Owners
Information Asset Custodians
Governors, Head’s of Groups,
Information Asset Owners
Governors, Head’s of Groups,
Information Asset Owners
Governors, Head’s of Groups,
Information Asset Owners,
Information Asset Custodians
Governors, Head’s of Groups,
Information Asset Owners,
Information Asset Custodians
Governors, Head’s of Groups,
Information Asset Owners,
Information Asset Custodians
Governors, Head’s of Groups,
Information Asset Owners
Governors, Head’s of Groups,
Information Asset Owners
Governors, Head’s of Groups,
Information Asset Owners
ISSUE DATE 03/05/2012
UNCLASSIFIED
1
PAGE 2
Executive summary
Background
1.1
Reliable and accurate information management is critical to proper decision making across
the Ministry of Justice (MoJ). Information can take many forms and may or may not have
protective markings – from data sets containing personal information through to records of
sensitive meetings, policy recommendations, prisoner records, case files, correspondence
and historical records.

Information is the lifeblood of our organisation, it is a critical business asset that
NOMS needs to protect and get the most value from to benefit the business

The management of information risks should be incorporated into all day-to-day
operations. If effectively used it can be a tool for managing information proactively
rather than reactively. It will enable NOMS to get the right information to the right
people at the right time, and help avoid incidents where data is lost or improperly
disclosed.
Desired outcomes
1.2
This policy sets out NOMS commitment to the management of information risk. It also sets
out what prison establishments, headquarters groups, their ‘delivery partners’ and third
party suppliers should do to manage information risk. In doing so, this policy supports the
NOMS strategic aims and objectives and should enable employees throughout the
organisation to identify an acceptable level of risk and, when required, use the correct risk
escalation process.
Application
1.3
Governors, Directors of Contracted Prisons, Head’s of Groups, Information Asset Owners
and Information Asset Custodians must be familiar with the policy.
Mandatory actions
1.4
Governors, Directors of Contracted Prisons, Heads of Groups and Information Asset
Owners must ensure that Senior Management Teams and Information Asset Custodians
review and are aware of this policy, a local Information risk policy must be produced and be
available to all staff.
All establishments and headquarters groups must have an Information Risk Register in
place.
The Information Asset Owner must carry out a quarterly review of the information risks
Resource Impact
1.5
Initial completion of the risk register should take a group of senior managers between 4 - 6
hours, depending on the complexity of the prison.
Quarterly reviews should take no longer that 1 -2 hours, depending on the number of
actions identified.
PSI 16/2012 – AI 04/2012
UNCLASSIFIED
ISSUE DATE 03/05/2012
UNCLASSIFIED
PAGE 3
2.
Information Risk Management
2.1
Reliable and accurate information is critical to proper decision making in NOMS. This
makes information a vital business asset that we need to protect. Information risk
management provides this protection by managing risks to the confidentiality, integrity and
availability (CIA) of information to assist our business to function effectively.
2.1
Confidentiality means ensuring that only authorised people can get to our information
2.3
Integrity means ensuring that it is authentic, accurate and complete
2.4
Availability means that authorised people can access it when they need to, at the right
times in the right ways
2.4
Keeping the right information for the right period of time is also very important and can
help ensure we comply with a range of statutory responsibilities (e.g. Freedom of
Information 2000, Public Records Act 1958 & 1967, Data Protection Act 1998), supply
information when it's requested by, for example, high-profile public enquiries, and provide
supporting evidence in the event of litigation against NOMS. For guidance refer to PSO
9025 – Archiving, Retention and Disposal
2.5
Information Asset Owner (IAO)
IAOs are responsible for the day to day use of information, which includes who has access
to the information and risk management of their information. They are usually governing
governors or heads of group but may be other senior managers such as IT system owners
involved in running the relevant business area.
2.6
IAOs are responsible for making sure their business areas, delivery partners and third party
suppliers with whom they work, have in place the arrangements needed to implement and
maintain an effective information risk management policy. The IAO may wish to appoint
Information Asset Custodians to work on their behalf, taking day to day oversight of assets
and reporting back to the IAO on the changes to risks.
Further information about the role of the IAO can be found in Annex A of this document and
Appendix 1 of PSO 9015 - Information Assurance.
2.7
Information Risk Register
IAOs must review information risks on a quarterly basis as part of the review of the
establishment/business group Information Asset Register and, where appropriate, escalate
any risks to the Information Policy and Assurance (IPA) Team at
informationassurance@noms.gsi.gov.uk or by telephone on 0300 047 6590. As well as
existing risks that have already been identified, the review must also consider forthcoming
potential changes in services, technology and threats.
Guidance on reviewing the Risk Register can be found in Annex C
2.8
The IPA team will decide whether it is appropriate to escalate any risks to the NOMS Senior
Information Risk Owner (SIRO) (Annex A). NOMS is required to provide a report on
information risk annually as part of a MoJ annual assessment of information risk and the
information received from the IAOs forms part of this report. Additionally NOMS is required
to provide quarterly risk updates to the MoJ SIRO Board.
2.9
The IAO must ensure that any Information and Communications Technology (ICT) systems
that hold protectively marked information are accredited according to government
PSI 16/2012 – AI 04/2012
UNCLASSIFIED
ISSUE DATE 03/05/2012
UNCLASSIFIED
PAGE 4
standards by a MoJ Accreditor. For further information on the accreditation process or to
determine whether the ICT system is an accredited system please contact a member of the
MoJ ICT team.
2.10
Disciplinary action will be considered for any member of staff (including contractors,
consultants, and suppliers so far as is feasible) who do not follow the mandatory actions set
out in this policy, unless prior agreement to do so has been secured from the NOMS SIRO.
3.
Compiling and Maintaining an Information Risk Register
3.1
To provide evidence that the risks in their business area have been identified and that there
are plans in place for managing them the IAO must compile and maintain an Information
Risk Register. A well-organised and easy to understand Risk Register is fundamentally
important. The register needs to provide enough information to the IAO to enable them to
be able to identify and explain the risk management decisions within each business group
3.2
Each prison establishment and headquarters group will already have an Information Asset
Register in place, this can be used to help to identify the different types of information
assets held and provide direction on the risk to the organisation that a loss / compromise or
lack of availability of that asset would have.
3.3
The Information Risk Register
A partially completed risk register template that you can amend to fit your own
establishment / business area can be found in Annex D. The draft has been provided to
assist you but you will need to look at the information in each of the columns and consider
the extent to which it is valid in your location.
3.4
You must include any additional risk descriptions and possible causes with establishment /
business area specific risks and causes where necessary.
3.5
Prison establishments and business areas must use the NOMS Information Risk Register
template provided, which contains the following information

a description of each risk expressed in terms of the potential or actual compromise
associated with the risk and the cause (threat and vulnerability),

an indication of the Information Assurance (IA) controls already in place to
remediate each risk,

a rating that reflects the likelihood of the risk being realised and is typically
expressed in terms of the ‘score’ assigned by the risk assessment method used,

A rating that reflects the business impact associated with the threat being realised is
typically expressed in terms of the ‘score’ assigned by the risk assessment process,

a description of the IA controls that the business group has or plans to implement to
further control the risk (together with any additional actions or contingency
arrangements that lessen the business impact if the risk is realised), and

a target date for implementing proposed IA controls or other plans to reduce the risk
further.

A target rating that reflects the score following the implementation of the further
controls
Guidance on completing a risk register can be found in Annex B
An Excel version of the Risk Register template can be downloaded from the IPA team’s
intranet pages.
PSI 16/2012 – AI 04/2012
UNCLASSIFIED
ISSUE DATE 03/05/2012
UNCLASSIFIED
3.6
PAGE 5
Escalating the Risk
If a risk hits a certain ‘score’ it must be escalated to a specific management level. If a risk
is given a collective impact/likelihood score of 9 or above, or an existing risk being
managed at establishment level whose collective score for impact and likelihood
is/becomes 9 or above, it must be escalated to the NOMS SIRO via the IPA Team. The
NOMS IPA team can be contacted on informationassurance@noms.gsi.gov.uk or on 0300
047 6590.
3.7
It is unlikely that a risk with a score of 15+ will be identified in either prison establishments
or headquarters groups that has not already been identified and included in the overall
NOMS Information Risk Register. However any new/existing risks which are identified as
having a score of 15 or above must be escalated to the MoJ SIRO Board by the IPA team.
Further guidance on escalating risks to the appropriate level can be found in Annex B
3.8
The Annual Information and Assurance Compliance Statement required under PSO 9025 Archiving Retention and Disposal includes a statement giving assurance that your Risk
Register is in place. The return must be completed and sent electronically to the NOMS
IPA team at informationassurance@noms.gsi.gov.uk by 31 March each year.
4.
Business Continuity Planning
4.1
The purpose of business continuity is to create the conditions that ensure a business can
continue to operate even after an event that denies it access to its assets and information:
this could be a server failure, a power cut, a fire or any other catastrophic event.
4.2
To ensure business continuity is maintained across NOMS all prison establishments must
have in place a Contingency Plan for the loss of Prison NOMIS. The Governor/IAO is
responsible for contingency plans within their establishment and must nominate suitable
personnel for undertaking tasks identified in the plan. Whilst HPES will be responsible for
managing the resolution of the disruption, it is the responsibility of the IAO to make sure
that all staff are aware of the contingency plans and have enough knowledge to implement
them.
4.3
It is important that IAOs in both establishments and headquarters identify their local 'vital
records'. These are information assets that are not held on the Quantum system but have
been identified as essential for the continuation of NOMS operations if, for example, stand
alone IT systems and / or paper records cannot be accessed.
4.4
The plan must identify proposals for the recovery of business critical activities promptly and
efficiently and include proposals for the protection of local ‘vital records’ and NOMS
information assets.
4.4
For guidance on putting in place suitable business continuity and contingency plans for ICT
systems prison establishments may wish to consult with MoJ ICT.
4.5
For staff in headquarters and regional offices PSO 1401 Para 1.2 - Business Continuity
Management Manual provides guidance on business continuity planning.
5.
Physical and Personnel Security
5.1
Physical Security - Security managers in prison establishments and headquarters buildings
must assess any physical security risks that affect the sites and environments in which ICT-
PSI 16/2012 – AI 04/2012
UNCLASSIFIED
ISSUE DATE 03/05/2012
UNCLASSIFIED
PAGE 6
based and paper-based information systems reside. They must ensure that IAOs (and ICT
accreditors) are made aware of any assessed risks that affect them.
5.2
Personnel security - All staff must have the appropriate level of checking or ‘vetting’ needed
to assure the reliability of each employee (including contractors) according to the sensitivity
of the information that the member of staff has regular access to and the business impact
that might arise if that employee discloses this information without authority. Refer to AI
24/2010 or PSI2010/43 – Security Vetting for more information.
6.
Delivery Partners and Third Party Suppliers
6.1
NOMS Delivery Partners and Third Party Suppliers must identify and manage risks to all
NOMS information assets that they have access to and/or control of, including escalating
them via the necessary channels as outlined in this policy (via the IAO, the IPA Team and
NOMS SIRO).
6.2
Any significant risks relating to NOMS information must be raised with the relevant point of
contact and if required the relevant IAO, as outlined in this policy.
Any enquiries regarding the instructions contained within this policy should be directed to The
NOMS IPA team at informationassurance@noms.gsi.gov.uk or on 0300 047 6590.
(approved for publication by:)
Martin Bellamy,
NOMS Senior Information Risk Owner (SIRO)
Director of Change and ICT, NOMS
PSI 16/2012 – AI 04/2012
UNCLASSIFIED
ISSUE DATE 03/05/2012
UNCLASSIFIED
PAGE 7
Annex A
Roles and Responsibilities
1.
MoJ SIRO Board; SIRO means Senior Information Risk Owner. The Board is composed of
all of the MoJ’s Business Group SIROs and Executive Agency SIROs. The Board is
chaired by the MoJ SIRO.
2.
NOMS Senior Information Risk Owner (SIRO); The NOMS SIRO has overall responsibility
for all NOMS information assets in NOMS Headquarters and prison establishments. The
NOMS SIRO sits on the SIRO Board and provides assurance that all information asset
owners in NOMS are following their responsibilities.
The NOMS SIRO is the NOMS CICT Director; they are the focus for the management of
information risk at Board level, are familiar with information risks and would lead the NOMS
response in the event of a major data incident.
3.
Information Asset Owners (IAOs); are usually governing governors or heads of group but
may be other senior managers involved in running the relevant business area. They are
responsible for the day to day use as well as the risk management of their information
asset, and supporting the NOMS SIRO in carrying out their duties.
IAOs identify and manage information risks associated with the particular NOMS
Information Asset(s) they are responsible for. Their role is to understand what information
is held, what is added and removed, and who has access and why as well as ensuring that
information is fully used within the law for the public good, and providing written input
annually to the NOMS SIRO on the security and use of their asset. IAOs are also
responsible for ensuring that appropriate business continuity plans are in place for their
prison establishment or business area.
IAOs are responsible for implementing this information risk management policy in their
respective business areas, and for regularly reviewing the policy. To this end the IAOs are
responsible for making sure their business areas, and the delivery partners and third party
suppliers with whom they work, have in place the arrangements needed to implement and
maintain an effective information risk management policy.
The IAO may wish to appoint Information Asset Custodians to work on their behalf, taking
day to day oversight of assets and reporting back to the IAO on the changes to risks.
Further information about the role of the IAO can be found in Appendix 1 of PSO 9015 -
Information Assurance.
4.
Information Asset Custodians (IAC) are involved in the day to day use and management of
information assets in a particular area, they will be appointed by the IAO to have
responsibility for overseeing and implementing the necessary safeguards to protect the
information assets and report back to the IAO on any changes to risks. The IAO will retain
the overall responsibility.
5.
The Information Policy and Assurance (IPA) Team is based in the Change and Information
Communication Technology Directorate (CICT). The team aims to provide information
management to deliver business benefits and efficiency savings, reduce information risk
and facilitate compliance with information legislation.
Its role is to enable, monitor and develop Information Assurance Maturity and Compliance
within NOMS. The team also owns and maintains the NOMS Information Risk Register and
provides written advice to the NOMS SIRO on the security and use of NOMS assets.
PSI 16/2012 – AI 04/2012
UNCLASSIFIED
ISSUE DATE 03/05/2012
UNCLASSIFIED
PAGE 8
Annex B
Information Assurance Risk Management Process
Risk management is an iterative process. It encompasses the following stages: Risk
Identification, Risk Assessment, Risk Monitoring and Escalation.
A Risk Register that provides enough information to explain risk management decisions
will enable the IAO to monitor and manage the risks within their business group.
A partially completed risk register template that you may wish to amend to fit your
business group can be found in Annex D. The draft has been provided to help you to
prepare your local document.
In order to complete it you will need to look at the information in each column and consider
the extent to which it is true in your location and provide an appropriate risk rating.
You must include any additional risk descriptions with establishment / business area
specific risks, causes and mitigating actions and also include the possible consequences of
the risk being compromised where necessary.
An Excel version of the Risk Register template can be downloaded from the IPA Team’s
intranet pages.
Stage 1 - Risk Identification:
1.1
Situations where risks must be identified may take many forms, for example:

Preparation to develop a new Information Communication Technology (ICT) based
or paper-based information system,

Regular review under ‘business as usual’ arrangements for maintaining IA, and

Work to address a change of requirement.
1.2
The starting point in these examples is risk analysis: being clear on what information
assets fall within scope of the assessment and the importance of those assets to the
business (or the impact of loss of confidentiality, integrity or availability).
1.3
Each prison establishment or business group will already have an Information Asset
Register in place, this can be used to help to identify the different types of information
assets held and to provide direction on the risk to the organisation that a loss /
compromise of that asset would have. Some examples of information assets are:
1.4

Staff and HR Details

Official Correspondence

Prisoner records and reports

Financial budgetary information

Litigation or caseworking files
Once you have considered the information assets that might be at risk you need to identify
the ‘risk description’ which is the form that the compromise / loss might take. The
following suggestions are some of the factors that you might want to consider as ‘risk
descriptions’ when completing your own register, this list is only for guidance and you
might identify different or additional risks that are more appropriate in your own business
area:

Inappropriate disclosure of personal material
PSI 16/2012 – AI 04/2012
UNCLASSIFIED
ISSUE DATE 03/05/2012
UNCLASSIFIED
1.5
1.6
PAGE 9

Theft, loss or unauthorised access to information (paper records should be
considered as well as electronic and systems)

Ineffective or insecure information sharing

Records retained for the wrong length of time

Failure to create or locate reliable records as evidence of business decisions and
activities

Poor management of information risk

Stand alone IT systems that are not supported through Quantum
Once you have identified the ‘risk description’, the next step is to identify the organisations,
people or events that pose a threat to your information assets. The following are just a
few of the possible causes of information loss / compromise but you need to consider
which of these are true in your business area and update the Risk Register to reflect this:

Lack of awareness and training

Absence of information sharing agreements

Password sharing

Documents sent to incorrect address or lost/compromised during transmission

Dishonesty

Inappropriate storage

Records retained unnecessarily result in large volumes of data to be searched.

Unavailability of business continuity plans
An important part of the risk identification process for IT systems is through the
accreditation process. Further information on this process can be found in PSO 9010 - IT
Security.
Stage 2 - Assessing the Scale of Risk:
2.1
Assessing a risk involves evaluating two factors, these are:
The Impact to the organisation where the compromise/loss to occur, and
The Likelihood of the risk being realised, taking into account the working environment and
past experience.
2.2
The assessment of these factors helps you to decide on the overall severity of each risk,
this means that they can be prioritised and resources focused on the most serious.
2.3
The table below illustrates what score is attached to each level for both impact and
likelihood. Once you have decided on the scores they are multiplied together to give the
overall risk score.
2.4
For example:

A risk is determined to have a ‘significant detrimental effect in the long term’ would
have a score of High (4).

It is then judged the likelihood of this occurring is unlikely giving a score of Low (2).

This is multiplied to give a total risk score of 8.

This score is then used to determine if the risk needs escalating.
PSI 16/2012 – AI 04/2012
UNCLASSIFIED
ISSUE DATE 03/05/2012
UNCLASSIFIED
PAGE 10
IMPACT
Scale
LIKELIHOOD
5 Very High
Prevents achievement of NOMS objectives or has
highly damaging impact on NOMS operational
effectiveness or reputation. .
> 80 %
Almost
Certain
4 High
Significant detrimental effect on achievement of
NOMS corporate objectives in the longer term.
National media criticism.
51 – 80 %
Probable
3 Medium
Impacts at local level on elements of efficiency, output
and quality which impacts on the outcome of long
term NOMS corporate objectives. Potential for
negative local media coverage
21 – 50 %
Possible
2 Low
Impact at local level on short term goals within their
objectives without affecting long term achievement of
NOMS corporate objectives.
6 – 20 %
Unlikely
1 Very Low
Minor and containable impact on achievement of local
(establishment / business area) objectives.
<5%
Very Unlikely
Risk scores can be shown on a matrix:
Risk A: Very High Impact (5), and High Likelihood (4), giving a score of 20;
Risk B: High Impact (4), and Medium Likelihood (3), giving a score of 12;
Risk C: Low Impact (2), and High Likelihood (4), giving a score of 8.
2.5
The risk scores are used to decide if the level of risk is acceptable, or if further action to
mitigate is required, (e.g. controls, escalation and/or contingency plans).
Stage 3 - Managing the risk:
3.1
There are generally four options that the IAO must consider when deciding how to manage
the identified risk.
PSI 16/2012 – AI 04/2012
UNCLASSIFIED
ISSUE DATE 03/05/2012
UNCLASSIFIED
PAGE 11
3.2
The first one is ‘treating the risk’ which is done by applying one or more Information
Assurance controls to reduce the likelihood of the risk being realised or lessen the impact
if the risk is realised. Examples of these controls could be:

Implementing the mandatory actions in PSO 9015 – Information Assurance

Implementing the mandatory actions in PSO 9025 - Archiving Retention and
Disposal

Using the Government Protective Marking Scheme

Investigation of incidents and lessons learned

Training and awareness

Putting in place suitable business contingency plans
3.3
The second option is ‘removing the risk’, this is done by finding another way to achieve a
business objective; for example returning protectively marked documents to the originating
department rather than storing them within NOMS.
3.4
Another possible option to consider is ‘transferring the risk’ by outsourcing services. It is
important to recognise that even if it is possible to transfer responsibility for managing a
risk to an organisation other than NOMS, the consequences of a risk will rest wherever the
business impact associated with it being realised is felt. The legal basis for sharing
information and appropriate contractual provisions and arrangements to ensure
compliance with control requirements must be in place.
3.5
Finally the IAO could decide that ‘tolerating the risk’ is the most appropriate action. This is
usually done where:

the financial cost of mitigation is too great,

where the likelihood of the risk being realised is low,

where the impact on the organisation if the risk is realised is low or else

where the business benefit is high.
Stage 4 – Monitor and Escalate:
4.1
An ongoing programme of periodic monitoring, inspection and testing is required which
validates and provides evidence that the IA controls used to manage risks remain
effective.
4.2
An annual Information and Assurance Compliance Statement is required under PSO 9025
- Archiving Retention and Disposal, the statement must be completed on an annual basis
and includes a statement giving assurance that your Risk Register is in place.
4.3
In addition to this the IAO must carry out a quarterly review of the information risks. As
well as existing risks that have already been identified, the review must also consider
forthcoming potential changes in services, technology and threats. Reviews must be
discussed at local SMT level and minuted.
4.4
Where the risk relates to ICT-based information systems: Business groups must use Her
Majesty’s Government’s (HMG) accreditation process to assess, treat, validate and verify
risk to all ICT-based information systems on which their business operations depend. For
further information on the accreditation process or to determine whether the ICT system is
an accredited system please contact a member of the MoJ ICT team.
4.5
If a risk hits a certain score it must be escalated to a specific management level. This is
set out below;



Very High
High
Med
PSI 16/2012 – AI 04/2012
(I/L 20-25)
(I/L15 - 19)
(I/L 9 - 14)
MOJ Board via the Corporate Risk Register
SIRO Board through the NOMS IPA Team
NOMS SIRO through the NOMS IPA Team
UNCLASSIFIED
ISSUE DATE 03/05/2012
UNCLASSIFIED


4.6
Low
V. Low
(I/L 5 - 8)
(I/L 1 - 4)
PAGE 12
Information Asset Owner
Can be managed at Business Group level
How does it work in practice? The description below illustrates the step by step process.

Step 1 (Risk registration) - Any new risk which has a collective impact/likelihood
score of 9 or above, or an existing risk being managed at Business Group level
whose collective score for impact and likelihood is/becomes 9 or above, must be
escalated to the NOMS SIRO via the NOMS IPA Team at
informationassurance@noms.gsi.gov.uk or by telephone on 0300 047 6590.

Step 2 (Risk acceptance) - The NOMS SIRO will review any proposed new risks
and make a decision on whether to accept, reject or transfer the risk to a new
owner. The NOMS SIRO will also agree that the scoring is appropriate, the
mitigating actions, target dates and risk owner.

Step 3 (Escalation to SIRO Board) - It is unlikely that a risk score of 15+ will be
identified in either prison establishments or headquarters groups that has not
already been identified and included in the overall NOMS Information Risk
Register, however any new/existing risks which are identified as having an
impact/likelihood score of 15 or above will be escalated to the SIRO Board who will
consider whether the risk should be escalated to the Corporate Risk Register
(generally a score of 20-25) and if appropriate the Corporate Risk Team will notify
the Departmental Board.
These risks will require an accompanying action plan (or risk treatment plan)
setting out in detail the full risk, the controls in place, the proposed mitigating
controls and a detailed timeline to completion. Additionally, SIROs will be required
to provide updates on these significant risks.

4.7
Step 4 (Closure) - Risks with a score of 15+ which are tabled for closure will need
to go to the SIRO Board with an accompanying closure report (which may be an
updated action plan, outlining all of the mitigations which are in place, the target
score which has been achieved and any residual risk).
It is worth remembering that when risks are escalated and assessed at the next
management level, that the level of impact is likely to be moderated as objectives and
responsibilities widen. Therefore, a risk identified at local level may often (although not in
all cases) have a lower impact upon the overall NOMS business objective.
PSI 16/2012 – AI 04/2012
UNCLASSIFIED
ISSUE DATE 03/05/2012
UNCLASSIFIED
PAGE 13
Annex C
Reviewing the information Risk Register
1.1
IAOs must review information risks on a quarterly basis and, where appropriate, escalate
any risks to the Information Policy and Assurance (IPA) Team. At each review consider if
existing risks are still relevant, achieve the same score and if new risks have emerged.
Even where risks remain the same, it is likely that controls and contingency plans will
require updating
1.2
Where an operationally significant risk has been identified the IAO will need to describe
the mitigating actions that will be put in place and then assess the residual risk rating,
taking into account the additional measures that are being proposed. When the review of
the Risk Register is carried out the IAO must take into account when the mitigating actions
have been carried out so they can be entered onto the register as control measures
(Annex D)
1.3
As well as existing risks that have already been identified, the review must also consider
forthcoming potential changes in services, technology and threats.
.
PSI 16/2012 – AI 04/2012
UNCLASSIFIED
ISSUE DATE 03/05/2012
UNCLASSIFIED
PAGE 14
Annex D
Information Risk Register
Information Asset Owner
…………………………………………………………………………………………
Controls:
In Place and Active
(Transfer to Controls Proposed /
planned column where Controls are
not currently in place)
Effect(s)
1
Lack of awareness training,
Absence of Information Sharing
Agreements (ISAs),
Requests to access information are not
escalated to Information Asset Owner,
Failure to check contents of disclosure,
Failure to follow Government Protective
Marking Scheme (GPMS)
Serious and unwarranted damage and
distress to individuals
Breach of DPA and infringement of privacy
Regulatory, court action or financial
penalties
damage to reputation and integrity
Cost and resources required to investigate
PSI 16/2012 – AI 04/2012
L
I
Controls:
Proposed / Planned
(incl. Date/Action Officer)
Obtaining guidance and support regarding
incident management from Information
Assurance Team,
Local Information Sharing Agreements
(Identify local agreements here if they are
in place)
Annual Information Assurance Training (enter current completion rate)
Target
L
I
Compliance with PSO 9015 - Information
Assurance,
L
Risk
Owner
Control
Owner
Date
100% Annual level 1 information
assurance training completed for
all staff by 31 March /
Action:
Additional Action
Cause(s)
Risk
(Event)
I
Inappropriate Disclosure of personal
data
Current
Risk ID
Risk Description
Last Period
HMP/Business Group ……………………………
IAO Reference Guide read by IAO
and recorded in annual compliance
statement
Action:
Information Assurance Audit
compliance by…………..
Action:
IA Audit compliance (enter current
score)
Identified IA roles in place (IAO,
Custodian, LIM, IAR)
UNCLASSIFIED
ISSUE DATE 03/05/2012
3
Compliance with PSO 9010 - IT Security
Inadequate access and permissions
management
Password sharing
Poor information asset management
Dishonesty
Emails sent to wrong address or lost
compromised during transmission
Non-Quantum IT breaches security
requirement - i.e. 5x5 data transfers and
backups
Inadequate business continuity planning
Serious and unwarranted damage and
distress to individuals
Breach of DPA and infringement of privacy
Regulatory, court action or financial
penalties
damage to reputation and integrity
Cost and resources required to investigate
Cost of recreating / retrieving information
Compliance with PSO 9015 –
Information Assurance
Theft, loss or unauthorised access to
information (paper based)
Compliance with PSO 9010 - IT Security
Risk (Event)
Effect(s)
2
Theft, loss or unauthorised access to
information (electronic and systems
related
PSI 16/2012 – AI 04/2012
PAGE 15
Data Loss Reporting guidelines
issues to all staff by……….
Action
Implementation of the Government
Protective Marking Scheme
Additional Action
Compliance with PSO 9020 – Data
Protection, FOI
Only laptops, Blackberrys and USB
memory sticks encrypted to HMG
standards will be used
Annual Information Assurance training
(enter current completion rate)
Regular data backups are carried out and
up to date backup logs are kept
Compliance with PSO 9020 – Data
Protection, FOI
Compliance with PSO 9015 –
Information Assurance
UNCLASSIFIED
Additional Action
Cause(s)
Risk (Event)
UNCLASSIFIED
Data Loss Reporting guidelines
issues to all staff by……….
Action
ISSUE DATE 03/05/2012
Implementation of the Government
Protective Marking Scheme
Ineffective or Insecure Information
Sharing
Compliance with PSO 9015 - Information
Assurance,
PAGE 16
Annual Information Assurance training
(enter current completion rate)
Obtaining guidance and support from
Information Assurance Team,
Local Information Sharing Agreements
(Identify local agreements here if they are
in place)
Additional Action
4
lack of awareness of failure to follow
protective marking or inappropriate
classification
Documents stored in damp conditions and
damaged beyond repair
Documents not filed correctly and not
available to be retrieved
Dishonesty / sabotage
Carelessness
Clear desk policy not enforced
Documents posted / faxed to wrong address
or lost / compromised during transmission
Serious and unwarranted damage and
distress to individuals
Breach of DPA and infringement of privacy
Regulatory, court action or financial
penalties
damage to reputation and integrity
Cost and resources required to investigate
Cost of recreating / retrieving information
Risk (Event)
Effect(s)
Cause(s)
UNCLASSIFIED
Effective business continuity plans in
place
PSI 16/2012 – AI 04/2012
UNCLASSIFIED
ISSUE DATE 03/05/2012
Cause(s)
5
PAGE 17
Information sharing agreements not in place
or not comprehensive enough
Failure to share the right information with
the right people at the right time
Shared information is not stored securely or
in line with GPMS
Shared information that is held
electronically is not stored on secure and
accredited ICT systems
Information used for purposes other than
those agreed
failure to disclose critical information for
offender case management
Serious & unwarranted damage and distress
to individuals
Adverse effect on prisoner discipline
Breach of DPA and infringement of privacy
damage to reputation and integrity
Information not shred prior to the departure
of staff - knowledge not retained
Loss of business continuity
Records Retained for the Wrong Length
of Time
Compliance with PSO 9025 - Archiving,
Retention and Disposal
Local Information Manager and deputy in
post
Information not covered by retention policy
lack of awareness and motivation
Dishonesty / sabotage
Records retained 'just in case'
Records not removed from non-Quantum IT
systems in line with retention policy
PSI 16/2012 – AI 04/2012
Local Information Manager and deputy
received training
UNCLASSIFIED
Additional Action
Risk (Event)
Effect(s)
Cause(s)
UNCLASSIFIED
ISSUE DATE 03/05/2012
Effect(s)
6
Breach of DPA, FOI & Public Records Act
Breach of other requirements for the
retention of records
Unnecessary cost of storage of physical and
electronic information
Inability to protect NOMS best interests in
cases of litigation because relevant records
have been destroyed
Premature destruction seen as an attempt to
prevent disclosure
regulatory, court or financial penalties
Damage to reputation and integrity
Failure to Create or Locate Reliable
Records as Evidence of Business
Decisions and Activities
Records not created in the first place to
document key decisions and activities
records retained unnecessarily result in
large volumes of data to be searched in
information is requested
records are not managed systematically and
electronic and physical filing is not carried
out
PAGE 18
Compliance with PSO 9015 - Information
Assurance
Compliance with PSO 9025 Archiving,
Retention and Disposal
Effective review and destruction process
in place
Effective use of Shared Drive folders on
Quantum system
Additional Action
Cause(s)
Risk (Event)
Effect(s)
UNCLASSIFIED
Breach of DPA and FOI
records required for evidential purposes (i.e.
in court) will not be available
legal action against NOMS
critical information can't be found or takes
too long to find when needed
PSI 16/2012 – AI 04/2012
UNCLASSIFIED
ISSUE DATE 03/05/2012
Vital records and NOMS information
Assets lost as a Result of server failure, a
power loss, fire or any other catastrophic
event
Vital records not identified in local business
continuity plan
Contingency plans are not in place for non
Quantum IT systems such as SIS
business continuity plans are not in place
Compliance with PSO 1400 Contingency planning
Effective contingency plans in place for
Prison NOMIS systems
Effective business continuity plans in
place for Non Quantum IT systems such
as SIS
Vital records are identified and identified
within local continuity plans
7
Effect(s)
PAGE 19
Additional Action
Cause(s)
Risk (Event)
UNCLASSIFIED
Vital records may be destroyed in the event
of an incident or failure
Unable to access information with potential
legal & financial consequences
Significant investment required in the case
of a major incident or failure
Business continuity affected
Desk top contingency exercise carried out
every 12 months
Date Signed Off by Information Asset Owner ………………………………….
PSI 16/2012 – AI 04/2012
UNCLASSIFIED
ISSUE DATE 03/05/2012
UNCLASSIFIED
EIA
PAGE 1
EIA Equality Impact Assessment
PSI 16/2012 Information Risk Management Policy
Stage 1 – initial screening
The first stage of conducting an EIA is to screen the policy to determine its relevance to the various
equalities issues. This will indicate whether or not a full impact assessment is required and which
issues should be considered in it. The equalities issues that you should consider in completing this
screening are:







Race
Gender
Gender identity
Disability
Religion or belief
Sexual orientation
Age (including younger and older offenders).
Aims
What are the aims of the policy?
This policy sets out NOMS commitment to the management of information risk. It
also sets out what prison establishments, private prisons, headquarters groups, their
‘delivery partners’ and third party suppliers should do to manage information risk.
Effects
What effects will the policy have on staff, offenders or other stakeholders?
This policy supports the NOMS strategic aims and objectives and should enable
employees throughout the organisation to identify an acceptable level of risk and,
when required, use the correct risk escalation process.
Evidence
Is there any existing evidence of this policy area being relevant to any equalities issue?
Identify existing sources of information about the operation and outcomes of the policy, such as operational
feedback (including local monitoring and impact assessments)/Inspectorate and other relevant
reports/complaints and litigation/relevant research publications etc. Does any of this evidence point towards
relevance to any of the equalities issues?
There is no existing evidence that this policy area has relevance to any equalities issue
Stakeholders and feedback
Describe the target group for the policy and list any other interested parties. What contact have
you had with these groups?
Governors, Directors of contracted prisons, Heads of Groups and Information Asset
Owners have a specific interest in this policy. All senior managers and information
asset custodians should be aware of the policy. Consultation has been carried out with
a sample group of Information Asset Owners, MoJ ICT and IA, PAG and Unions.
PSI 16/2012 – AI 04/2012
UNCLASSIFIED
ISSUE DATE 03/05/2012
UNCLASSIFIED
EIA
PAGE 2
Do you have any feedback from stakeholders, particularly from groups representative of the
various issues, that this policy is relevant to them?
No feedback has been received from stakeholders
Impact
Could the policy have a differential impact on staff, prisoners, visitors or other stakeholders on
the basis of any of the equalities issues?
The policy is designed to ensure that information risks are managed consistently across
prison establishments and headquarters. It will not therefore have a differential impact
in staff on the basis of any equalities issues.
Local discretion
Does the policy allow local discretion in the way in which it is implemented? If so, what
safeguards are there to prevent inconsistent outcomes and/or differential treatment of different
groups of people?
The mandatory policy must be followed with regard to the completion of the
Information Risk Register and the compliance statement. The Information Asset
Owner (IAO) will need to spend time monitoring and reviewing local processes and
the local management plan may differ from business area to business area. However
this will relate to the risk management of information assets and not the management
of staff or offenders
Summary of relevance to equalities issues
Strand
Race
Gender (including
gender identity)
Disability
Religion or belief
Sexual orientation
Age (younger offenders)
Age (older offenders)
Yes/No
Rationale
No
No
The instruction applies to the risk management
of information assets and not the management of
staff or offenders
As above
No
As above
No
As above
No
As above
No
As above
No
As above
If you have answered ‘Yes’ to any of the equalities issues, a full impact assessment must be completed. Please
proceed to STAGE 2 of the document.
If you have answered ‘No’ to all of the equalities issues, a full impact assessment will not be required, and this
assessment can be signed off at this stage. You will, however, need to put in place monitoring arrangements to
ensure that any future impact on any of the equalities issues is identified.
PSI 16/2012 – AI 04/2012
UNCLASSIFIED
ISSUE DATE 03/05/2012
UNCLASSIFIED
EIA
PAGE 3
Monitoring and review arrangements
Describe the systems that you are putting in place to manage the policy and to monitor its
operation and outcomes in terms of the various equalities issues.
There is no evidence that equalities issues are relevant to the implementation of this
policy. The policy will be managed through a network of Information Asset Owners
(IAOs) in prison establishments and headquarters. Compliance will be formally
monitored through submission of the compliance statement.
State when a review will take place and how it will be conducted.
A review will take place when the Instruction is reviewed, following a change in
legislation or if evidence comes to light which indicates that equalities issues need to
be raised.
Policy lead
Head of group
Name and signature
Date
Clare Lewis
17 Nov 11
Paul Duffin
17 Nov 11
PSI 16/2012 – AI 04/2012
UNCLASSIFIED
ISSUE DATE 03/05/2012