Embed Size (px)
Citation preview
InformationInformation AssuranceAssurance for Recordsfor Records Managersg
What is Information Assurance?What is Information Assurance?
• The term ‘information assurance’• The term information assurance (IA) is used to describe confidence in the processes of information risk managementmanagement.
• Say that again, slowly!
OK SlowlyOK Slowly
• IA is a measured confidence b habout how we manage our
information assets managinginformation assets, managing risk as we go
IA Means different things to different people• IA to some = Electronic information security
• IA to others = All information activity throughout the information lifecycle excluding its creation and business use – unless related to the IA role
What has this got to do with Records Managers?1 I am a qualified Records Manager
2 Based on my knowledge surrounding Information Management I got my2 Based on my knowledge surrounding Information Management I got my current Job, remember I am a Records Manager
3 M i i f ti i k i ki t i f ti lif l th3. Managing information risk is akin to information lifecycle or even the Records Continuum - if you choose to distinguish
4. Records Managers assist in determining the value of information and hence the management of that information – Information Management
5. An extension of Good Information Management – Records Management is Information Assurance
Information Assurance not Information Management?• Lets not get excited about titlesg
• Information Assurance is, in my opinion, is a sub-set of I f ti tInformation management
• So what does Information Assurance/Management look like toSo what does Information Assurance/Management look like to me?
– Records ManagementKnowledge Management– Knowledge Management
– Information Security– Compliance
D t M t– Data Management– Business Partnering
What does good Information assurance look like?Ensures appropriate levels of:-Ensures appropriate levels of:-
ConfidentialityIntegrityAvailability
Confidentiality
E i th t i f ti i ibl l t th th i d t hEnsuring that information is accessible only to those authorised to have access
Discussion point – is this premise still valid? Should the door be open unless closed?
What does good Information assurance look like?IntegrityIntegrity
Protection of the information from unauthorised accessProtection of the information from unauthorised access or revision, to ensure that the information is not compromised through corruption or falsification
Surely this is a key part of a good Records Managers y y p g gresponsibilities?
What does good Information assurance look like?AvailabilityAvailability
Assuring information and communications services willAssuring information and communications services will be ready for use when expected
Lets extend this to assuring information users that their information can be accessed when needed
So what can a good Records Manager achieve?• First, can the Records Manager contribute?
• Easily
• Who has the job in your organisation to ensure accessibility of a record?
– RM and ICT
• Who has the job to ensure its integrity?
– RM and ICT
• Who has the job to ensure/assure security? – RM and ICT (see 8 2 3 9 3aWho has the job to ensure/assure security? RM and ICT (see 8.2.3, 9.3a, 9.5.1d, 9.8.1d of ISO 15489 Part 1)
So what can a good Records Manager achieve in respect of IA?So,
• We have a role in• Confidentiality• Availability• Accessibilityy• Integrity• Authenticity• UsabilityUsability
So what can a good Records Manager achieve in respect of IA?We need a policy set which describes
h t ibl f d thwhat we are responsible for and the extent
• Information Assurance • Data management PolicyPolicy
• Information Risk Policy
g y• Compliance Policy• Incident Management
• Security Policy• Information Management
gPolicy
• Records Management Policy
• Information Security Policy
• Data Sharing PolicyPolicy • Knowledge Management
Policy
What are the key components of measurable IA?• Lets introduce the Information Assurance Maturity Model
• What is it?
• A tool to assist in delivering/measuring IA maturity
• Three IA goalsg
– Embedding IRM Culture within the Organisation– Implementing Best Practice IA MeasuresImplementing Best Practice IA Measures– Effective Compliance
Where does the Records Manager fit in here?• The only constant is change (Heraclitus – popularised by Rosabeth Moss-Kanter)• Records Managers role is subject to change and development• If you don’t seize the opportunity, someone else surely will• IA is not ICT• So here is an opportunity
InformationInformation• Records Managers support the information process• A key role• Business, government, need assurance about how their information is managed• Because?• Failure to do so could result in disaster• Why not the Records Manager as leader in this role• Engages audit skillsg g• Advice and Guidance• All related to information• Paper and physicalPaper and physical
What would Records Managers need to do?• Harness the responsibility• Learn• Strategiseg• Deliver
In Practical TermsIn Practical Terms• The IAMM
• Has 5 levels
1. Initial – the main board has initiated a plan of action in respect of IA (DHR)2. Established – An approach is endorsed to assist in improving IA maturity3. Business Enabling – measured improvement in IRM behaviourg p4. Quantitatively Managed – Evidence shows that staff culture aligns to the
business model5. Optimised – IA considered at all aspects as part of normal business
How does the measuring work?How does the measuring work?• 6 Themes
• Leadership and Governance• Training, Education and Awarenessg• Information Risk Management• Through-Life IA Measures• Assured Information Sharingg• Compliance (the stick is always last!)
IAMM IRR ToolIAMM IRR Tool• The IAMM has a tool to help measure progress• Tool is useful to identify where change needs to be strategised, measured and
delivered
• All themes have 5 levels, with a varying number of indicators
• Lets not go beyond level 2 for now
• All about Information Risk Management
Leadership and GovernanceLeadership and Governance• Level 1 – Key Components
– Board Recognition• Paper to the Board explaining IA and what it means to business p p g
operations– Board Commitment
• Board agrees to act and provide necessary resources– SIRO Appointment
• Board Member is Appointed as Senior Information risk Owner
• High level buy-in recognising IA
• A good Records Manager should be able to develop this – if needed.g g p• A better Records Manager should be able to take ownership
Leadership and GovernanceLeadership and Governance• Level 2
– Understanding by Board and acceptance for development measures• Board agrees a resourced work programmeg p g
– IA Strategy
• Strategy details all of the components necessary to deliver IA maturity
– Governance StructureGovernance Structure• Reporting arrangements to Board and Risk Committee are in place
• A good Records Manager should be able to prepare a paper based on what isA good Records Manager should be able to prepare a paper based on what is already in the public domain – I did
Training Education and AwarenessTraining, Education and Awareness• Level 1 – Key Components
• Information Risk Training developed and delivered as an annual event
– Government use NSG E-Learning Courses, level 1 and level 2
• Information security learning tools are availabley g
• Cultural Change Plan– measuring changemeasuring change – Clarity of Responsibility – Review of Business Plan commitments
Training Education and AwarenessTraining, Education and Awareness
• Level 2
• Annual Risk Awareness Trainingg
• Targeted IA education
• Staff behaviour is measured
• Progress on Culture Change Plan is assessed and reported to SIROProgress on Culture Change Plan is assessed and reported to SIRO
Information Risk ManagementInformation Risk Management• Level 1
• Information Risk Policy in Place
• Information risk appetite articulated
• Risk Register preparedg p p
• Information asset owners in place to manage risk
• New IS accreditation process (RMADs)
• PIAsPIAs
• External Stakeholder contact re Risk
Information Risk ManagementInformation Risk Management• Level 2
• Accreditation status for all existing IS determined
• Risk Registers complete
• Accreditation Shortfall is managedg
• Escalation process in place for Information Risk reporting
Through-Life IA MeasuresThrough-Life IA Measures• Level 1
• IA is built into the life of the information
• Is built into projects and programmes form the outset
• Forensic Readiness Policy in Placey
Through-Life IA MeasuresThrough-Life IA Measures• Level 2
• Gaps in TLIA are identified• Work programme in place to address weaknesses in:-p g p
– Technical– Personnel– Physical– Procedural
• aspects of Assurance, subject to business need
Assured Information SharingAssured Information Sharing• Level 1
• Information sharing requirements identified
• Working with External stakeholders
• Work to implement control mechanisms in place (Information sharing p p ( gAgreements etc)
Assured Information SharingAssured Information Sharing• Level 2
• Policy in place
• Delivery Partners and 3rd Party Suppliers engaged
• Enterprise wide approach to security of all new ISp pp y
• Interconnecting IS have control measures
ComplianceCompliance• Level 1
• Compliance regime in place to measure effectiveness of IRM re DHR MMM
• Audit committee receives assurance on IRM and can challenge effectiveness
• Annual reports on IA issuesp
ComplianceCompliance• Level 2
• Comprehensive IRM Regime in action
• External IA Reviews undertaken
• Assessment towards SPF measured externally (more on SPF later)y ( )
IAMM as a measureIAMM as a measure
• Needs buy-in
• Government easy – mandatedy
• Public sector not so easy, but lets explore this
• All public sector has some links to Government
• Government measures effectiveness of delivery partners and 3rd party suppliersGovernment measures effectiveness of delivery partners and 3 party suppliers
• Thus all public services are subject to IA Maturity and assessment
• So are Commercial partners
Security Policy FrameworkSecurity Policy Framework• Was previously a restricted document – Manual of Protective security
• Now on a web site!
• Here - http://www.cabinetoffice.gov.uk/spf.aspx
• Protective Security Policy of/for Governmenty y
• 70 minimum security requirements – MANDATORY
• Should be extended to other public sector areas and contractors
Protective Security - ExplainedProtective Security - Explained• Threat Mitigation
• Physical (buildings)
• Personnel (people and staff)
• Information Security (documents)y ( )
• Systems Accreditation – Technical Risk Assessments
What does the SPF cover?What does the SPF cover?• Governance, Risk Management and Compliance
• Protective Marking and Asset Control
• Personnel Security
• Information Security and Assurancey
• Physical Security
• Counter-Terrorism
• Business ContinuityBusiness Continuity
Some of the Mandatory requirementsSome of the Mandatory requirements• Security Policy 1 Governance, Risk Management and Compliance
• MANDATORY REQUIREMENT 1
• Departments and Agencies must ensure that all staff understand the relevant requirements and responsibilities placed upon them by the Security Policy Framework and that they are properly equipped to meet the
d t it li i ( b ) t t i thi f kmandatory security policies (green boxes) as set out in this framework.
• Where Departments, Agencies and their contractors are subject to statutory security requirements such requirements shall take precedencestatutory security requirements, such requirements shall take precedence. The requirements set by security regulators and actions carried out by them will be consistent with this framework.
• Further Guidance exists but much is RESTRICTED and cannot be shared here
Security Policy 2 Protective Marking and Asset Control• MANDATORY REQUIREMENT 11• Departments and Agencies must apply the Protective Marking System and
the necessary controls and technical measures as outlined in this framework.
• Administrative system designed to protect information
Security Policy 3 Personnel SecuritySecurity Policy 3 Personnel Security• MANDATORY REQUIREMENT 22• Departments and Agencies must, as part of their risk management
approach to protective security, assess the need to apply personnel security controls against specific posts and the access to sensitive assets.
Security Policy 4 Information Security and Assurance• MANDATORY REQUIREMENT 31• Departments and Agencies must have, as a component of their overarching
security policy, an information security policy setting out how they, and their delivery partners (including offshore and nearshore (EU/EEA based) M d S i P id ) l ith th i i i t tManaged Service Providers), comply with the minimum requirements set out in this policy and the wider framework.
Security Policy 5 Physical SecuritySecurity Policy 5 Physical Security• MANDATORY REQUIREMENT 50• Departments and Agencies must adopt a ‘layered’ approach to physical
security, ensuring that their physical security policy incorporates identifiable elements of prevention, detection and response.
Security Policy 6 Counter-TerrorismSecurity Policy 6 Counter-Terrorism• MANDATORY REQUIREMENT 64• All Government establishments must be categorised according to the
likelihood of being, or in close proximity to, a potential terrorist target.
Security Policy 7 Business ContinuitySecurity Policy 7 Business Continuity• MANDATORY REQUIREMENT 70• Departments and Agencies must have robust, up to date, fit for purpose
and flexible business continuity management arrangements that are regularly tested and reviewed and supported by competent staff that allow th t i t i ibl i i f k d tthem to maintain, or as soon as possible resume provision of, key products and services in the event of disruption
SPF and IAMM similar?SPF and IAMM similar?• Yes• But measures are different
• IAMM measure maturityy
• SPF measures compliance with 70 mandatory elements – Met/Not Met– (expected to change during 2010-2011 – hopefully along same lines as ( p g g p y g
IAMM)
Why do we need these measures?Why do we need these measures?
P t ti it i l d h i l t ff d i f tiProtective security measures include physical, staff and information security enabling government to work better
Security risks must be managed effectively, collectively and proportionately to achieve a secure and confident workingproportionately to achieve a secure and confident working
environment
The OnionThe Onion
A tAsset
Information S itSecurity
Personnel SecuritySecurity
Physical Securityy
The OnionThe Onion
A tAsset
Information S itSecurity
Personnel SecuritySecurity
Physical Securityy
The OnionThe Onion
A tAsset
Information S itSecurity
Personnel SecuritySecurity
Physical Securityy
The Whole OnionThe Whole Onion
A tAsset
Information S itSecurity
Personnel SecuritySecurity
Physical Securityy
So what can IA look like?Key responsibilities• Information Management
Information Access regimes• Compliance
Legal Compliance– Information Access regimes– Policy Content– Research– Active Directory– Project Work
– Legal Compliance– Reporting– Audit Programme– Publication Scheme– Seeking Legal Advice
– Privacy Impact Assessments– Monitoring
• Information Security– Accreditation (RMADs)– Encryption
• Knowledge Management– People– Standards– Communication
• Information Assurance (IAMM)yp– Vetting– Incident– Reporting– IS Awareness
• Records Management
( )– Contract relationships– Data Handling/Transfer Standards– Data Sharing– ISO 27001
Training and Awareness• Records Management– Enterprise Systems Management– Resilience Backups– Registry Policy development/management– Retention Policy Development
– Training and Awareness– Mandatory Training– Incident Control – IA Forum– Information Asset Identification and Reporting
– Classification– Discovery
– IAO Support– Information Risk Register– Acceptable Use– Evidence Collation
Pros and ConsPros and Cons• More responsibilityp y• More cost?• More resources?• More for less?• Wider skill set?
Questions?Questions?
