Академический Документы
Профессиональный Документы
Культура Документы
March 2009
Timing:
Immediate
Background
1. The minimum mandatory measures on information risk mention three roles that all Departments must have in place the Accounting Officer (AO), the Senior Information Risk Owner (SIRO) and Information Asset Owners (IAO). This document summarises what each involves, providing a ready check-list for individuals playing those roles. 2. This document does not summarise other roles not made mandatory in the same way.
Contacts
Role Accounting Officer Senior Information Risk Owner Information Asset Owner
Page 4 5 6
Accounting officer
The Accounting Officer has overall responsibility for ensuring that information risks are assessed and mitigated to an acceptable level. Information risks should be handled in a similar manner to other major risks such as financial, legal and reputational risks. Aspect of role Lead and foster a culture that values, protects and uses information for the public good Supporting actions Discuss information risk in the delivery chain regularly with the Board Cover information risk explicitly in the statement on internal control Have a SIRO who is skilled, focused on the issues, and supported Review and encourage Departmental plan to achieve and monitor the right culture Take visible steps to support and participate in that plan (including completing own training) Board discusses the quarterly risk assessments and annual forward look Board agrees actions needed to respond to risks and ensures they are followed up Board discusses breaches and near misses, to learn lessons and share them with others Receive an annual assessment of information risk performance from the SIRO, that draws on material from information asset owners and specialists Test the material with the SIRO and others, including internal audit Publish summary material in the annual report
Managing Information Risk - a guide for Accounting Officers, Board members and Senior Information Risk Owners is currently available on CESGs GSi website on the following link http://www.cesg.gsi.gov.uk/ia-policy-portfolio/title.shtml.
Own the overall information risk policy and risk assessment process, test its outcome, and ensure it is used
Advise the accounting officer on the information risk aspects of his statement on internal control