Information Governance Management - Strategic Health Authorities Guidance Requirement 121 Does the SHA have a Board level Senior Information Risk Owner (SIRO) who takes ownership of the SHA’s information risk policy, acts as advocate for information risk on the board and provides written advice to the accounting officer on the content of their Statement of Internal Control in regard to information risk? The establishment of the role of SIRO is one of several measures to strengthen controls around information security outlined in a recent Cabinet Office review and report on Data Handling. The SIRO should be an Executive or Senior Manager on the SHA Board who is familiar with information risks and the organisation’s response to risk and has the knowledge and skills necessary to provide the required input and support to the Board and to the accountable officer. The SIRO may also be the Chief Information Officer (CIO) if the latter is on the board. Accountability and Performance Senior level ownership of information risk is a key factor in successfully raising the profile of information risks and to embedding information risk management into the overall risk management culture of the SHA. Senior leadership demonstrates the importance of the issue and is critical in obtaining the resources and commitment necessary to ensuring information security remains high on the Board agenda. The role of the Accountable Officer The Chief Executive as Accountable Officer of the SHA has overall accountability and responsibility for Information Governance in the SHA and is required to provide assurance, through the Statement of Internal Control that all risks to the SHA, including those relating to information, are effectively managed and mitigated. The role of the Senior Information Risk Owner (SIRO) The Senior Information Risk Owner (SIRO) will be an Executive Director, Chief Information Officer (CIO) or Senior Manager member of the SHA Board. The SIRO may also be the Chief Information Officer (CIO) if the latter is on the Board. The SIRO will be expected to understand how the strategic business goals of the SHA may be impacted by information risks and it may, therefore, be logical for this role to be assigned to a Board member already leading on risk management or information governance. The SIRO will act as an advocate for information risk on the Board and in internal discussions, and will provide written advice to the Accountable Officer on the content of their annual Statement of Internal Control (SIC) in regard to information risk. Working within a simple governance structure, with clear lines of Information Asset ownership and well- defined roles and responsibilities, the SIRO will provide an Page 1 of 3 essential role in ensuring that identified information security risks are followed up and incidents managed. They will also ensure that the Board and the Accountable Officer are kept up to date on all information risk issues. The role will be supported by the SHA’s Information Asset Owners, Information Governance Manager, the SHA’s Risk Manager, the SHA’s Information Security Manager, the SHA’s Records Manager and the SHA’s Caldicott Guardian, although ownership of the Information Risk Policy and risk assessment process will remain with the SIRO. The role of Information Asset Owners (IAO) IAOs are accountable to the SIRO and will provide assurance that information risk is being managed effectively for those information assets that they have been assigned ownership. IAOs will be assisted in their roles by staff acting as Information Asset Administrators or equivalent who have day to day responsibility for management of information risks affecting one or more assets. Key responsibilities of the Senior Information Risk Owner To oversee the development of an Information Risk Policy, and a Strategy for implementing the policy within the existing Information Governance Framework. To take ownership of risk assessment process for information risk, including review of the annual information risk assessment to support and inform the Statement of Internal Control. To review and agree action in respect of identified information risks. To ensure that the SHA’s approach to information risk is effective in terms of resource, commitment and execution and that this is communicated to all staff. To provide a focal point for the resolution and/or discussion of information risk issues. To ensure the Board is adequately briefed on information risk issues. Training The SIRO will be required to successfully complete strategic information risk management training at least annually. Improvement plans Level 1 The SHA should nominate an Executive Director or Senior Manager Board member to be responsible for ownership of information risk across the SHA and to act as the SHA’s Senior Information Risk Owner (SIRO). Level 2 An assessment of any gaps in knowledge or skills should be undertaken and training provided to ensure that the Board member assigned responsibility for information risk has the necessary skills and knowledge to be effective in their role. The SHA should also ensure that the support infrastructure for the SIRO is in place, including the nomination of Information Asset Owners as appropriate. Page 2 of 3 Level 3 The SHA should ensure the role and responsibilities of the SIRO and the infrastructure to support the SIRO is kept under review and remains effective. The Board member assigned to the role should successfully complete the strategic information risk management training at least annually. Requirement checklist IGM_SHA_121_V7_Checklist 09-02-05.doc Key Guidance Document(s): BS ISO/IEC 27000 series of information security standards Note that only NHS Information Governance Toolkit (IGT) administrators may download a copy of these standards for their organisation. The administrator must be logged on to download the standards. DH: Information Security NHS Code of Practice The code is a guide to the methods and required standards of practice in the management of information security for those who work within or under contract to, or in business partnership with NHS organisations in England. It is based on current legal requirements, relevant standards and professional best practice and replaces HSG 1996/15 – NHS Information Management and Technology Security Manual. NHS Information Risk Management: Good Practice Guidance This guidance, published in January 2009, set out the role and responsibilities of Senior Information Risk Owners and Information Asset Owners. It includes sections dealing with Information Risk Policy, Forensic Readiness Policy and Information Security Accreditation that are all relevant to the role of the Information Security Officer. System Level Security Policy (SLSP) A template for defining system level security arrangements. This template is relevant to the Good Practice Guide above. It should be read in conjunction with the section specifically addressing security policy. Useful websites: NHS Information Governance Training Tool NHS Connecting for Health Information Governance website Page 3 of 3