Information assurance (IA) strategy

This policy is to set out our strategic direction for developing our Information Assurance (IA) capability and embedding an IA culture across RoS.

Scope

This strategy covers the confidentiality, integrity and availability of all our assets and data, encompassing our delivery partners and third party IT suppliers. It also supports our commitment to “digital by default” services, enabling secure delivery of our online public services.

Introduction

We realise that effective IA is fundamental for us effectively to conduct our statutory function and day to day business operations, and achieve our strategic objectives as set out in our Corporate Plan.

We understand that we must be able to act quickly and effectively to address new and evolving security threats, adopting a risk-based approach in prioritising our response, placing added emphasis on identifying and dealing with threats and risks before they occur, ensuring our systems and processes are as resilient as possible within the resources available.

Vision

Our vision is that IA is viewed and accepted as an enabler, recognised as integral to how we deliver our services, and where everyone understands their role and responsibilities in relation to security, and possesses the capabilities to discharge them.

We will adopt an approach that balances security with proportionality and usability, supported by a mature, security-conscious culture that proactively identifies threats, manages risk, and acts quickly, effectively and consistently in protecting our staff, customers and assets.

We will provide a well-organised and provisioned IA function operating across projects, programmes and the whole system development life cycle, capable of validating the efficiency of outsourced security services, and managing integration risks jointly with our delivery partners.

We will embed a culture of security professionalism and continuous improvement in line with modernising security across the Civil Service.

To achieve proportionate maturity levels across all the Information Assurance Maturity Model (IAMM) categories, we will maintain appropriate levels based on business requirements thereafter.

Achieving our vision

We will achieve our vision by developing and maintaining four core principles:

a) People
b) Protecting information
c) Policy and Guidance
d) Governance and Performance Evaluation

People

All our employees and third parties (including our customers) who have access to our information will be aware of their information security responsibilities. Their access to our systems and data will be effectively managed.

We will build a broad-based but proportionate security culture, driven by regular communication, education and strong governance.

We will promote a culture of personal responsibility and accountability, empowered to manage risks at their level.

We will create an environment where the application of security awareness features in terms of performance objectives, is referenced as standard within role profiles, and is recognised during performance reviews.

We will target IA training and learning regimes based on individual roles, needs and experience to ensure we have the right skills, knowledge and experience reflecting current business needs and demands.

We will build a strong, well-informed and well-supported community of Information Asset Owners (IAOs) covering all areas of our business. The IAOs will be supported by a community of Area Information Managers (AIMs), who will be provided with access to IA training and advice.

The enhancement of core and specialist capabilities will be promoted through the development of security professionalism and competency approach.

We will embed an approach for succession planning, ensuring specialist security knowledge and experience is retained within the business through a process of skills transfer and up skilling.

Delivery partners and third party IT suppliers will be required to understand the information risks to which they are exposed, and accept our expectations with regard to confidentiality, integrity, availability of information, data loss or corruption.

Protecting information

We will implement proportionate security controls, balancing business needs with protecting information assets against threats of inappropriate access, use, or loss, harming public confidence in our Registers.

Security risks will be identified and effectively managed for all our major business processes, applications and data which support our operations and decision making.

We will regularly review and assess our IA risk appetite, tolerance, capabilities and requirements, streamlining the security risk reporting process and improving the targeting of security expenditure in response to a core set of security risks.

We will embed ‘the three lines of defence in effective risk management and control’ approach, establishing functions and responsibilities that own and manage risks on a day-to-day basis (first line), that oversee risks, set policy, manage controls, and monitor compliance (second line), and Internal Audit (third line), providing independent challenge and assurance.

We will establish clear incident reporting mechanisms and establish capable incident handlers with appropriate skills and technical expertise to recover from incidents quickly and effectively.

We will retain a record of our information assets, major information risks and longstanding control weaknesses, directing and investing resource appropriately.

We will assess the value and interest in our information assets, regularly reviewing its information risk appetite, establishing threats, their sources, capabilities and methods.

We will identify all the data which flows in and out of RoS and ensure that appropriate systems are in place for the secure sharing of data.

We will ensure appropriate levels of access to staff and customer information (paper, voice and data) will be authorised commensurate to an individual’s current responsibilities and position.

We will develop our ability to identify all user transactions to ensure we have a full audit trail to protect customer data.

We will ensure security is present across all stages of new technology development, based on the principle that prevention is easier in design, and that retrofitting security into technology creates delays and extra cost.

Policy and Guidance

We will develop IT security policies, processes and guidance that are consistently applied and monitored across our business and delivery partners.

We will establish an easily accessible set of security policy statements, which will be regularly updated and maintained to reflect industry, legislative and government standards, the evolving business delivery model and changing threat landscape.

We will clearly set out our guidance for staff on the potential disciplinary and/or criminal penalties that may result from their failure to comply with our IA policies and guidance.

Governance and Performance evaluation
We will use the CPNI Security Culture Review and Evaluation (SeCURE3) tool to measure progress against the desired security culture and manage the risk of employees’ behaviour.

We will monitor, measure, analyse and evaluate our IA maturity annually against the Communications Electronics Security Group (CESG) Information Assurance Maturity Model (IAMM), and / or equivalent assessment tools.

We will measure our compliance against the HMG Security Policy Framework (SPF) and best practice in IEC/ISO 27001.

We will conduct internal audits at planned intervals.

We will enhance the scale and capability of internal assurance and accreditation expertise, supplementing internal capabilities through external business partners where additional support or expert advice is required.

We will adopt a flexible approach to security accreditation ensuring that the accreditation effort is proportionate to system complexity and risk.

We will regularly review our security governance system, ensuring it remains fit for purpose, with each element demonstrating a clear purpose and decision making role, providing collective oversight and proactive management of threats, risks, issues, infrastructure and capability requirements that affect the security of our business.

We will establish clear roles, governance and processes in respect of identifying and managing operational, programme and project security risks, ensuring risk assessments are widely communicated and security risk-based decisions are recorded and regularly reviewed.

We will develop and implement monitoring and review initiatives that will inform the level of residual risk, vulnerabilities and weaknesses that exist in the IT estate, delivering proportionate remediation plans into system maintenance and functional releases.